Create or remove a store

Use the Create Store task to configure additional stores. You can create as many stores as you need; for example, you can create a store for a particular group of users or to group together a specific set of resources.

To create a store, you identify and configure communications with the servers providing the resources that you want to make available in the store. Then, optionally, you configure remote access to the store through Citrix Gateway.

You can also create an unauthenticated store that allows for anonymous, or unauthenticated store. To create this type of store, select option Allow only unauthenticated users to access this store in the Store Name page. When you create an unauthenticated store, the Authentication Methods and Remote Access pages are not available. For unauthenticated stores, Server Group Node in the left and Action panes is replaced by Change Base URL. The only option available is to change the base URL, because server groups are not available in nondomain-joined servers.

Important:

In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.

Add desktops and applications to the store

  1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.

  2. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the Actions pane, click Create Store.

  3. On the Store Name page, specify a name for your store and click Next.

    Store names appear in Citrix Workspace app under users’ accounts, so choose a name that gives users information about the content of the store.

  4. On the Delivery Controllers page, list the infrastructure providing the resources that you want to make available in the store. Click Add.

  5. In the Add Delivery Controller dialog box, specify a Display name that will help you to identify the deployment. Specify Type to indicate how the resources made available in the store are provided. Type defaults to Citrix Virtual Apps and Desktops. XenApp 6.5 is available as a Type, however it reached End of Life in June 2018, and is now covered by the Extended Support Program.

  6. To make desktops and applications provided by Citrix Virtual Apps and Desktops and XenApp 6.5 available in the store, add the names or IP addresses of your servers to the Servers list. Specify multiple servers to enable fault tolerance, listing the entries in order of priority to set the failover sequence. For Citrix Virtual Apps and Desktops sites, give details of Delivery Controllers. In the case of XenApp 6.5 farms, list servers running the Citrix XML Service.

  7. Select from the Transport type list the type of connections for StoreFront to use for communications with the servers.

    • To send data over unencrypted connections, select HTTP. If you select this option, you must make your own arrangements to secure connections between StoreFront and your servers.
    • To send data over secure HTTP connections using Transport Layer Security (TLS), select HTTPS. If you select this option for Citrix Virtual Apps and Desktops servers, ensure that the Citrix XML Service is set to share its port with Microsoft Internet Information Services (IIS) and that IIS is configured to support HTTPS.
    • To send data over secure connections to XenApp 6.5 servers using the SSL Relay to perform host authentication and data encryption, select SSL Relay.

      Note:

      If you are using HTTPS or the SSL Relay to secure connections between StoreFront and your servers, ensure that the names you specify in the Servers list match exactly (including the case) the names on the certificates for those servers.

  8. Specify the Port for StoreFront to use for connections to the servers. The default port is 80 for connections using HTTP and the SSL Relay, and 443 for HTTPS connections. In the case of Citrix Virtual Apps and Desktops servers, the specified port must be the port used by the Citrix XML Service.

  9. If you are using the SSL Relay to secure connections between StoreFront and XenApp 6.5 servers, specify the TCP port of the SSL Relay in SSL Relay port. The default port is 443. Ensure that all the servers running the SSL Relay are configured to monitor the same port.

  10. Click OK. You can configure stores to provide resources from any mixture of Citrix Virtual Apps and Desktops deployments. Repeat Steps 4 to 10, as necessary, to list additional deployments providing resources for the store. When you have added all the required resources to the store, click Next.

  11. On the Remote Access page, specify whether and how users connecting from public networks can access the store through Citrix Gateway.

    • To make the store unavailable to users on public networks, do not check Enable Remote Access. Only local users on the internal network will be able to access the store.
    • To enable remote access, select Enable Remote Access.
      • To make only resources delivered through the store available through Citrix Gateway, select No VPN tunnel. Users log on using either ICAProxy or clientless VPN (cVPN) to Citrix Gateway and do not need to use the Citrix Gateway plug-in to establish a full VPN.
      • To make the store and other resources on the internal network available through a Secure Sockets Layer (SSL) virtual private network (VPN) tunnel, select Full VPN tunnel. Users require the Citrix Gateway plug-in to establish the VPN tunnel.

      When you enable remote access to the store, the Pass-through from Citrix Gateway authentication method is automatically enabled. Users authenticate to Citrix Gateway and are automatically logged on when they access their stores.

  12. If you enabled remote access, in the Citrix Gateway appliances list, select from the appliances (deployments) through which users can access the store. Any deployments you configured previously for this and other stores are available for selection in the list. If you enable access through multiple appliances by selecting more than one entry in the list, specify the Default appliance to be used to access the store. To add further appliances to the list, follow the process described in Provide remote access to the store through Citrix Gateway.

  13. On the Authentication Methods page, select the methods your users will use to authenticate to the store and click Next. You can select from the following methods:

    • Username and password: Users enter their credentials and are authenticated when they access their stores.
    • SAML Authentication: Users authenticate to an Identity Provider and are automatically logged on when they access their stores.
    • Domain pass-through: Users authenticate to their domain-joined Windows computers and their credentials are used to log them on automatically when they access their stores.
    • Smart card: Users authenticate using smart cards and PINs when they access their stores.
    • HTTP basic: Users authenticate with the StoreFront server’s IIS web server.
    • Pass-through through Citrix Gateway: Users authenticate to Citrix Gateway and are automatically logged on when they access their stores. This is automatically checked when the remote access is enabled.1. On the Configure Password Validation page, select the Delivery Controllers to provide the password validation, click Next.
  14. On the XenApp Services URL page, configure the URL for users who use PNAgent to access application and desktops and click Create.

  15. When the store has been created, click Finish.

Accessing the store

Your store is now available for users to access with Citrix Workspace app, which must be configured with access details for the store. There are a number of ways in which you can provide these details to users to make the configuration process easier for them. For more information, see User access options.

Alternatively, users can access the store through the Receiver for Web site, which enables users to access their desktops and applications through a webpage. The URL for users to access the Receiver for Web site for the new store is displayed when you create the store.

When you create a new store, the XenApp Services URL is enabled by default. Users of domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock, along with users who have older Citrix clients that cannot be upgraded, can access stores directly using the XenApp Services URL for the store. The XenApp Services URL has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml, where serveraddress is the FQDN of the server or load balancing environment for your StoreFront deployment and storename is the name you specified for the store in Step 3.

Provide remote access to the store through Citrix Gateway

Complete the following steps to configure remote access through Citrix Gateway to the store that you created in the previous procedure. It is assumed that you have completed all the preceding steps.

  1. On the Remote Access page of the Create Store wizard, click Add.

  2. In the Add Citrix Gateway Appliance dialog, on the General Settings page, specify a Display name for the Citrix Gateway appliance that will help users to identify it.

    Users see the display name you specify in Citrix Workspace app, so include relevant information in the name to help users decide whether to use that gateway. For example, you can include the geographical location in the display names for your Citrix Gateway deployments so that users can easily identify the most convenient or closest gateway to their location.

  3. For Citrix Gateway URL, type the URL:port combination of the Citrix Gateway virtual server for your deployment. If a port is not specified, then the default https:// port of 443 is used. It is not necessary to specify port 443 in the URL.

    The fully qualified domain name (FQDN) for your StoreFront deployment must be unique and different from the Citrix Gateway virtual server FQDN. Using the same FQDN for StoreFront and the Citrix Gateway virtual server is not supported.

  4. Select the Usage or role of the Citrix Gateway from the available options.
    • Authentication and HDX routing: The Citrix Gateway will be used for Authentication, as well as for routing any HDX sessions.
    • Authentication Only: The Citrix Gateway will be used for Authentication and not for any HDX session routings.
    • HDX routing Only: The Citrix Gateway will be used for HDX session routings and not for Authentication.
  5. For all deployments where you are making resources provided by Citrix Virtual Apps and Desktops or XenApp 6.5 available in the store, on the Secure Ticket Authority page list the Secure Ticket Authority (STA) URLs for servers running the STA. Add URLs for multiple STAs to enable fault tolerance, listing the servers in order of priority to set the failover sequence.

    The STA is hosted on Citrix Virtual Apps and Desktops, or XenApp 6.5 servers and issues session tickets in response to connection requests. These session tickets form the basis of authentication and authorization for access to Citrix Virtual Apps and Desktops, or XenApp 6.5 resources. Use the correct STA URL (such as HTTPS:// or HTTP://) depending on how your Delivery Controllers are configured. The STA URL must also be identical to the one configured within Citrix Gateway on your virtual server.

  6. Choose to set the Secure Ticket Authority to be load balanced. You can also specify the time interval after which the non-responding STAs are bypassed.

  7. To ensure Citrix Virtual Apps and Desktops, or XenApp 6.5 keep disconnected sessions open while Citrix Workspace app attempts to reconnect automatically, select Enable session reliability.

  8. If you configure multiple STAs and want to ensure that session reliability is always available, select Request tickets from two STAs, where available. Then StoreFront obtains session tickets from two different STAs and user sessions are not interrupted if one STA becomes unavailable during the course of the session. If, for any reason, StoreFront is unable to contact two STAs, it falls back to using a single STA.

  9. On the Authentication Settings page, type the VServer IP address (VIP) of the Citrix Gateway appliance.

    Use the private IP address for the Citrix Gateway virtual server rather than the public IP address that is NATed to the private IP address. Gateways are usually identified by StoreFront via their URLs. If you are using global server load balancing (GSLB), you must add the VIP to each gateway. This allows StoreFront to identify multiple gateways which all use the same URL (GSLB domain name) as distinct gateways. For example, three gateways may be configured for the store with the same URL such as https://gslb.domain.com but would each have unique VIPs configured such as 10.0.0.1, 10.0.0.2 and 10.0.0.3.

  10. If you are adding an appliance running Citrix Gateway, select from the Logon type list the authentication method you configured on the appliance for Citrix Workspace app users.

    • If users are required to enter their Microsoft Active Directory domain credentials, select Domain.
    • If users are required to enter a tokencode obtained from a security token, select Security token.
    • If users are required to enter both their domain credentials and a tokencode obtained from a security token, select Domain and security token.
    • If users are required to enter a one-time password sent by text message, select SMS authentication.
    • If users are required to present a smart card and enter a PIN, select Smart card.

    If you configure smart card authentication with a secondary authentication method to which users can fall back if they experience any issues with their smart cards, select the secondary authentication method from the Smart card fallback list.

  11. If you are configuring StoreFront for Citrix Gateway and want to use Smart Access, then you must type a Callback URL. StoreFront automatically appends the standard portion of the URL. Enter the internally accessible URL of the appliance. StoreFront contacts the Citrix Gateway authentication service to verify that requests received from Citrix Gateway originate from that appliance.

    When using GSLB, we recommend that you configure unique callback URLs for each of your GSLB gateways. StoreFront must be able to resolve each of the unique Callback URLs to the private VIPs configured for each of the GSLB gateway virtual servers. For example, emeagateway.domain.com, usgateway.domain.com and apacgateway.domain.com should resolve to the correct gateway VIP.

  12. Click Create to add your Citrix Gateway appliance to the list in the Remote Access Settings dialog box.

    Information about the configuration of your Citrix Gateway appliances is saved to the .cr provisioning file for the store. This enables Citrix Workspace app to send the appropriate connection request when contacting appliances for the first time.

Remove a store

Use the Remove Store task to delete a store. When you remove a store, any associated Receiver for Web sites, Desktop Appliance sites, and XenApp Services URLs are also deleted.

Important:

In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.