StoreFront

User access options

Three different methods are available for users to access StoreFront stores.

  • Citrix Workspace app installed locally - Users with compatible versions of Citrix Workspace app can access StoreFront stores within the Citrix Workspace app user interface. This provides the best user experience and the greatest functionality.
  • Citrix Workspace app for HTML5 - Users with compatible web browsers can access StoreFront stores by browsing to the store’s website. By default, users also require a compatible version of Citrix Workspace app to access their desktops and applications, known as hybrid launch. However, you can configure your website to enable users to access their resources through their browser without installing Citrix Workspace app.
  • XenApp Services URLs - Users who have legacy Citrix clients that cannot be upgraded, can access stores using the XenApp Services URL for the store. When you create a new store, the XenApp Services URL is enabled by default.

Citrix Workspace app installed locally

Accessing stores from the locally installed Citrix Workspace app provides the best user experience. For the Citrix Workspace app versions that can be used to access stores in this way, see System Requirements.

Citrix Workspace app uses internal and external URLs as beacon points. By attempting to contact these beacon points, Citrix Workspace app can determine whether users are connected to local or public networks. When a user accesses a desktop or application, the location information is passed to the server providing the resource so that appropriate connection details can be returned to Citrix Workspace app. This enables Citrix Workspace app to ensure that users are not prompted to log on again when they access a desktop or application. For more information, see Configure beacon points.

Add Store to Workspace App

After installation, Citrix Workspace app must be configured with connection details for the stores providing users’ desktops and applications. You can make the configuration process easier for your users by providing them with the required information in one of the following ways.

Important:

By default, Citrix Workspace app requires HTTPS connections to stores. If StoreFront is not configured for HTTPS, users must carry out additional configuration steps to use HTTP connections. Citrix strongly recommends that you do not enable unsecured user connections to StoreFront in a production environment. For more information, see Store configuration parameters in the Citrix Workspace app for Windows documentation.

Manual configuration

Users can connect Citrix Workspace app to their store by entering the store URLs into Citrix Workspace app. For more information, see the Citrix Workspace app documentation.

Provisioning files

You can provide users with provisioning files containing connection details for their stores. After installing Citrix Workspace app, users open the .cr file to automatically configure accounts for the stores. By default, the website offers users a provisioning file for the single store for which the site is configured. You could instruct your users to visit the websites for the stores they want to access and download provisioning files from those sites. Alternatively, for a greater level of control, you can use the Citrix StoreFront management console to generate provisioning files containing connection details for one or more stores. You can then distribute these files to the appropriate users. For more information, see Export store provisioning files for users.

Auto-generated setup URLs

For users running macOS, you can use the Citrix Workspace app for Mac Setup URL Generator to create a URL containing connection details for a store. After installing Citrix Workspace app, users click on the URL to configure an account for the store automatically. Enter details of your deployment into the tool and generate a URL that you can distribute to your users.

Email-based account discovery

With email-based account discovery, instead of needing to know the access details for their stores, users enter their email addresses during the Citrix Workspace app initial configuration process. For details of how to set this up see Email based account discovery.

Global App Config Service

Use the Global App Config Service to configure Citrix Workspace app for your StoreFront stores. See Configure settings for on-premises stores.

Citrix Workspace app for HTML5

As an alternative to using a locally installed Workspace app, users can access their store through a web browser with Workspace app for HTML5. When users come to launch their resources there are two possibilities.

  1. Resources launch within locally installed Citrix Workspace app. This is known as a hybrid launch. This gives users the best experience as it can take advantage of full operating system integration. For more details see Hybrid launch

  2. Resources launch within the browser. This makes it possible for users to access resources without needing to install any software locally.

The default configuration is to require that Citrix Workspace app is installed locally for a hybrid launch. You can change the configuration to either always launch resources in the browser or to give the user the choice. See Deploy Workspace app.

If the admin selected Use Receiver for HTML5 if local Receiver is unavailable then when the user first opens the store website in their browser, the user has the option to click Use Light Version to launch resources within their web browser.

Requirements for opening resources in your browser

For users on the internal network, access through Citrix Workspace app for HTML5 to resources provided by Citrix Virtual Apps and Desktops is disabled by default. To enable local access to desktops and applications using Citrix Workspace app for HTML5, enable the ICA WebSockets connections policy on your Citrix Virtual Apps and Desktops servers. Citrix Virtual Apps and Desktops uses port 8008 for Citrix Workspace app for HTML5 connections. Ensure your firewalls and other network devices permit access to this port. For more information, see WebSockets policy settings.

For Citrix Virtual Apps and Desktops resource launches to succeed, configure the TLS connections to the VDAs that host apps and desktops. Remote connections through a Citrix Gateway can launch resources using Citrix Workspace app for HTML5 without configuring TLS connections to the VDA.

Hybrid Launch

When users first open Citrix Workspace for HTML5 through their browser but launch apps within the locally installed Citrix Workspace app this is known as hybrid launch. There are a number of ways in which the web site can communicate with the locally installed Workspace app to launch resources.

Citrix Workspace launcher

When the user first goes to a StoreFront web site with a supported operating system and browser, Citrix Workspace app for HTML5 attempts to invoke the Citrix Workspace Launcher. If a supported version of Citrix Workspace app is installed then the app notifies StoreFront. Citrix Workspace app for HTML5 remembers this and when it launches an app it uses Citrix Workspace Launcher.

The store web site invokes Citrix Workspace Launcher on Windows, Mac and Linux with when using the following browsers:

  • Firefox 52 or higher
  • Chrome 42 or higher
  • Safari 12 or higher
  • Edge 25 or higher

Citrix Workspace Launcher requires the following minimum versions of Citrix Receiver or Citrix Workspace app.

  • Receiver for Windows 4.3 or higher
  • Receiver for Mac 12.0 or higher
  • Workspace app for Linux 2003 or higher

If the Workspace app launcher is not available, or the user does not allow it to open, then it will not be able to detect the locally installed Citrix workspace app. The user has the option to try again, or to click Already Installed, in which case it falls back to launching apps using .ica files. The user can later try again by going to the Settings screen and clicking Change Citrix Workspace app.

If you are using multiple active StoreFront server groups behind a global server load balancer then Citrix Workspace launcher may fail intermittently. To avoid this you must configure your global server load balancer to force the user web session to be persistent to one StoreFront server group for the lifetime of the client detection process, see CTX460312. Alternatively deploy Citrix Workspace web extensions.

Citrix Workspace web extensions

The Citrix Workspace web extensions are extensions for commonly used web browsers that improve the user experience for detecting the locally installed Citrix Workspace app and launching virtual apps and desktops. Compared to Citrix Workspace launcher, this provides a better user experience and avoids issues with global server load balancers.

To enable the browser extension-based client detection:

  • Enable the feature on the StoreFront server.
  • Deploy the browser extension on the client devices.
  • Deploy Citrix Workspace app for Windows 2303, Mac 2304 or Linux 2302 or higher.

The first time a user goes to a store website on a supported platform, it prompts the user to detect the locally installed Workspace app. It first tries to use the web extension and if this fails then it tries Citrix Workspace Launcher. Existing users who have already completed Workspace app detection can go to Account Settings, click Change Citrix Workspace app to re-detect workspace app.

This feature is off by default. Administrators can enable this feature using the following PowerShell script on a StoreFront server: Add-STFFeatureState -Name "Citrix.StoreFront.EnableBrowserExtension" -IsEnabled $True.

Internet Explorer

The first time the user opens the store web site in Internet Explorer, it prompts the user to install Citrix Workspace app which includes the Citrix ICA Client Add-on for Internet Explorer. Once the plugin is installed, this is used to launch apps and desktops through the locally installed Citrix Workspace app.

ICA file downloads

If Citrix Workspace app for HTML5 is unable to detect a locally installed Citrix Workspace app by any other means then when a user launches an app or desktop then it downloads a .ica file. The user can open this file with the locally installed Citrix Workspace app.

Resource shortcuts

You can generate URLs that provide access to desktops and applications available in your store. Embed these links on websites hosted on the internal network to provide users with rapid access to resources. Users click on a link and are redirected to the store website, where they log on if they have not already done so. The store website automatically starts the resource. For more information about generating resource shortcuts, see Website shortcuts.

When you create an application shortcut, ensure that no other applications available from the store have the same name. Shortcuts cannot distinguish between multiple instances of an application with the same name. Similarly, if you make multiple instances of a desktop from a single desktop group available from the store, you cannot create separate shortcuts for each instance. Shortcuts cannot pass command-line parameters to applications.

To create application shortcuts, you configure StoreFront with the URLs of the internal websites that will host the shortcuts. When a user clicks on an application shortcut on a website, StoreFront checks that website against the list of URLs you entered to ensure that the request originates from a trusted website. However, for users connecting through Citrix Gateway, websites hosting shortcuts are not validated because the URLs are not passed to StoreFront. To ensure that remote users can only access application shortcuts on trusted internal websites, configure Citrix Gateway to restrict user access to only those specific sites.

Customize the user interface

Citrix StoreFront provides a mechanism for customizing the user interface. These apply whether accessing a store through Citrix Workspace app or a web browser. You can customize strings, the cascading style sheet, and the JavaScript files. You can also add a custom pre-logon or post-logon screen, and add language packs. For more information see Customize Appearance.

XenApp Services URLs

Note:

XenApp Services (also known as PNAgent) is deprecated as of StoreFront 2308. It is recommended that you use Citrix Workspace app to connect to StoreFront using a Store URL.

Users with older Citrix clients that cannot be upgraded can access stores by configuring their clients with the XenApp Services URL for a store. You can also enable access to your stores through XenApp Services URLs from domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock. Domain-joined in this context means devices that are joined to a domain within the Microsoft Active Directory forest containing the StoreFront servers.

StoreFront supports pass-through authentication with proximity cards through Citrix Workspace app to XenApp Services URLs. Citrix Ready partner products use the Citrix Fast Connect API to streamline user logons through Citrix Receiver for Windows or Citrix Workspace app for Windows to connect to stores using the XenApp Services URL. Users authenticate to workstations using proximity cards and are rapidly connected to desktops and applications provided by Citrix Virtual Apps and Desktops. For more information, see the most recent Citrix Workspace for Windows documentation.

When you create a new store, the XenApp Services URL for the store is enabled by default. The XenApp Services URL for a store has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml, where serveraddress is the fully qualified domain name of the server or load balancing environment for your StoreFront deployment and storename is the name specified for the store when it was created. This allows Citrix Workspace apps that can only use the PNAgent protocol to connect to Storefront. For the clients that can be used to access stores through XenApp Services URLs, see User device requirements.

Important considerations

XenApp Services URLs are intended to support users who cannot upgrade to Citrix Workspace app and for scenarios where alternative access methods are not available. When you decide whether to use XenApp Services URLs to provide users with access to your stores, consider the following restrictions.

  • You cannot modify the XenApp Services URL for a store.
  • You cannot modify XenApp Services URL settings by editing the configuration file, config.xml.
  • XenApp Services URLs support explicit, domain pass-through, smart card authentication, and pass-through with smart card authentication. Explicit authentication is enabled by default. Only one authentication method can be configured for each XenApp Services URL and only one URL is available per store. If you need to enable multiple authentication methods, you must create separate stores, each with a XenApp Services URL, for each authentication method. Your users must then connect to the appropriate store for their method of authentication. For more information, see XML-based authentication.
  • Workspace control is enabled by default for XenApp Services URLs and cannot be configured or disabled.
  • User requests to change their passwords are routed to the domain controller directly through the Citrix Virtual Apps and Desktops servers providing desktops and applications for the store, bypassing the StoreFront authentication service.
User access options