Create a new deployment
If the Citrix StoreFront management console is not already open after installation of StoreFront, on the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
In the results pane of the Citrix StoreFront management console, click Create a new deployment.
Specify the URL of the StoreFront server or the load balancing environment for a multiple server deployment in the Base URL box.
If you have not yet set up your load balancing environment, enter the server URL. You can modify the base URL for your deployment at any time.
Click Next to set up the authentication service, which authenticates users to Microsoft Active Directory.
To use HTTPS to secure communications between StoreFront and users’ devices, you must configure Microsoft Internet Information Services (IIS) for HTTPS. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications.
By default, Citrix Workspace app requires HTTPS connections to stores. If StoreFront is not configured for HTTPS, users must carry out additional configuration steps to use HTTP connections. HTTPS is required for smart card authentication. You can change from HTTP to HTTPS at any time after configuring StoreFront, provided the appropriate IIS configuration is in place. For more information, see Configure server groups.
You can change from HTTP to HTTPS at any time using the Change Base URL task in the StoreFront management console, provided that Microsoft Internet Information Services (IIS) is configured for HTTPS.
On the Store Name page, specify a name for your store, specify whether you want to allow only unauthenticated (anonymous) users access to the store, and click Next.
StoreFront stores aggregate desktops and applications, making them available to users. Store names appear in Citrix Workspace app under users’ accounts, so choose a name that gives users information about the content of the store.
On the Delivery Controllers page, list the infrastructure providing the resources that you want to make available in the store. To add desktops and applications to the store, follow the appropriate described in Add Citrix Virtual Apps and Desktops resources to the store. You can configure stores to provide resources from any mixture of Citrix Virtual Apps and Desktops deployments. Repeat the procedures, as necessary, to add all the deployments providing resources for the store.
When you have added all the required resources to the store, on the Delivery Controllers page, click Next.
On the Remote Access page, specify whether and how users connecting from public networks can access the internal resources.
- To make the store available to users on public networks, check the Enable remote access box. If you leave this box unchecked, only local users on the internal network are able to access the store.
- To make only resources delivered through the store available through Citrix Gateway, select Allow users to access only resources delivered through StoreFront (No VPN tunnel). Users log on using either ICAProxy or clientless VPN (cVPN) to Citrix Gateway and do not need to use the Citrix Gateway plug-in to establish a full VPN.
- To make the store and all other resources on the internal network available through a Secure Sockets Layer (SSL) virtual private network (VPN) tunnel, select Allows users to access all resources on internal network (Full VPN tunnel). Users require the Citrix Gateway plug-in to establish the VPN tunnel.
When you enable remote access to the store, the Pass-through from Citrix Gateway authentication method is automatically enabled. Users authenticate to Citrix Gateway and are automatically logged on when they access their stores.
If you enabled remote access, Citrix Gateway appliances lists the deployments through which users can access the store. To add a Citrix Gateway deployment to this list, follow the appropriate procedure described in Provide remote access to the store through a Citrix Gateway appliance. Repeat the procedures, as necessary, to add further deployments.
In the Citrix Gateway appliances list, select the deployments through which users can access the store. If you enable access through multiple deployments, specify the Default appliance to be used to access the store. Click Next.
On the Authentication Methods page, select the methods your users will use to authenticate to the store and click Next. You can select from the following methods:
- Username and password: Users enter their credentials and are authenticated when they access their stores.
- SAML Authentication: Users authenticate to an Identity Provider and are automatically logged on when they access their stores.
- Domain pass-through: Users authenticate to their domain-joined Windows computers and their credentials are used to log them on automatically when they access their stores.
- Smart card: Users authenticate using smart cards and PINs when they access their stores.
- HTTP basic: Users authenticate with the StoreFront server’s IIS web server.
- Pass-through through Citrix Gateway: Users authenticate to Citrix Gateway and are automatically logged on when they access their stores. This is automatically checked when the remote access is enabled.1. On the Configure Password Validation page, select the Delivery Controllers to provide the password validation, click Next.
On the XenApp Services URL page, configure the XenApp Service URL for users who use PNAgent to access the applications and desktops.
After the store has been create, further options become available in the Citrix StoreFront management console. For more information, see Configure and manage stores.
Your store is now available for users to access with Citrix Workspace app, which must be configured with access details for the store. There are a number of ways in which you can provide these details to users to make the configuration process easier for them. For more information, see User access options.
Alternatively, users can access the store through the Citrix Receiver for Web site, which enables users to access their desktops and applications through a webpage. The URL for users to access the Citrix Receiver for Web site for the new store is displayed when you create the store.
When you create a new store, the XenApp Services URL is enabled by default. Users of domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock, along with users who have older Citrix clients that cannot be upgraded, can access stores directly using the XenApp Services URL for the store. The XenApp Services URL has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml, where serveraddress is the fully qualified domain name of the server or load balancing environment for your StoreFront deployment and storename is the name you specified for the store in Step 5.
To quickly add more servers to your deployment, select the option to join an existing server group when installing further instances of StoreFront.
Add Citrix Virtual Apps and Desktops resources to the store
Complete the following steps to make desktops and applications provided by Citrix Virtual Apps and Desktops available in the store that you create as part of the initial configuration of your StoreFront server. It is assumed that you have completed Steps 1 to 6 in the “Create a new deployment” procedure at the top of this article.
On the Delivery Controllers page, list the infrastructure providing the resources that you want to make available in the store. Click Add.
In the Add Delivery Controller dialog box, specify a Display name that will help you to identify the deployment and select a Type to indicate how the resources made available in the store are provided. Type defaults to Citrix Virtual Apps and Desktops. XenApp 6.5 is available as a Type, however it reached End of Life in June 2018, and is now covered by the Extended Support Program.
To make desktops and applications provided by Citrix Virtual Apps and Desktops and XenApp 6.5 available in the store, add the names or IP addresses of your servers to the Servers list. Specify multiple servers to enable fault tolerance, listing the entries in order of priority to set the failover sequence. For Citrix Virtual Apps and Desktops sites, give details of Delivery Controllers. In the case of XenApp 6.5 farms, list servers running the Citrix XML Service.
Select from the Transport type list the type of connections for StoreFront to use for communications with the servers.
- To send data over unencrypted connections, select HTTP. If you select this option, you must make your own arrangements to secure connections between StoreFront and your servers.
- To send data over secure HTTP connections using Transport Layer Security (TLS), select HTTPS. If you select this option for Citrix Virtual Apps and Desktops servers, ensure that the Citrix XML Service is set to share its port with Microsoft Internet Information Services (IIS) and that IIS is configured to support HTTPS.
To send data over secure connections to XenApp 6.5 servers using the SSL Relay to perform host authentication and data encryption, select SSL Relay.
If you are using HTTPS or the SSL Relay to secure connections between StoreFront and your servers, ensure that the names you specify in the Servers list match exactly (including the case) the names on the certificates for those servers.
Specify the Port for StoreFront to use for connections to the servers. The default port is 80 for connections using HTTP and the SSL Relay, and 443 for HTTPS connections. In the case of Citrix Virtual Apps and Desktops servers, the specified port must be the port used by the Citrix XML Service.
If you are using the SSL Relay to secure connections between StoreFront and XenApp 6.5 servers, specify the TCP port of the SSL Relay in SSL Relay port. The default port is 443. Ensure that all the servers running the SSL Relay are configured to monitor the same port.
Click OK. You can configure stores to provide resources from any mixture of Citrix Virtual Apps and Desktops deployments. To add further Citrix Virtual Desktops sites or Citrix Virtual Apps farms, repeat the procedure above. When you have added all the required resources to the store, return to Step 7 in the “Create a new deployment” procedure at the top of this article.
Provide remote access to the store through a Citrix Gateway appliance
Complete the following steps to configure remote access through a Citrix Gateway appliance to the store that you create as part of the initial configuration of your StoreFront server. It is assumed that you have completed Steps 1 to 9 in the “Create a new deployment” procedure at the top of this article.
On the Remote Access page of the StoreFront console Create Store dialog box, click Add.
In the Add Citrix Gateway Appliance dialog box, on the General Settings page, specify a Display name for the Citrix Gateway appliance that will help users to identify it.
Users see the display name you specify in Citrix Workspace app, so include relevant information in the name to help users decide whether to use that gateway. For example, you can include the geographical location in the display names for your Citrix Gateway deployments so that users can easily identify the most convenient or closest gateway to their location.
For Citrix Gateway URL, type the URL:port combination of the Citrix Gateway virtual server for your deployment. If a port is not specified, then the default
https://port of 443 is used. It is not necessary to specify port 443 in the URL.
For information about creating a single Fully Qualified Domain Name (FQDN) to access a store internally and externally, see Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally.
- Select the Usage or role of the Citrix Gateway from the available options.
- Authentication and HDX routing: The Citrix Gateway will be used for Authentication, as well as for routing any HDX sessions.
- Authentication Only: The Citrix Gateway will be used for Authentication and not for any HDX session routings.
- HDX routing Only: The Citrix Gateway will be used for HDX session routings and not for Authentication.
For all deployments where you are making resources provided by Citrix Virtual Apps and Desktops or XenApp 6.5 available in the store, on the Secure Ticket Authority page, add Secure Ticket Authority (STA) URLs for servers running the STA. Add URLs for multiple STAs to enable fault tolerance, listing the servers in order of priority to set the failover sequence.
The STA is hosted on Citrix Virtual Apps and Desktops, or XenApp 6.5 servers and issues session tickets in response to connection requests. These session tickets form the basis of authentication and authorization for access to Citrix Virtual Apps and Desktops, or XenApp 6.5 resources. Use the correct STA URL (such as
HTTP://) depending on how your Delivery Controllers are configured. The STA URL must also be identical to the one configured within Citrix Gateway on your virtual server.
To ensure Citrix Virtual Apps and Desktops, or XenApp 6.5 keep disconnected sessions open while Citrix Workspace app attempts to reconnect automatically, select Enable session reliability.
If you configure multiple STAs and want to ensure that session reliability is always available, select Request tickets from two STAs, where available. Then StoreFront obtains session tickets from two different STAs and user sessions are not interrupted if one STA becomes unavailable during the course of the session. If, for any reason, StoreFront is unable to contact two STAs, it falls back to using a single STA.
On the Authentication Settings page, type the VServer IP address (VIP) of the Citrix Gateway appliance.
Use the private IP address for the Citrix Gateway virtual server rather than the public IP address that is NATed to the private IP address. Gateways are usually identified by StoreFront via their URLs. If you are using global server load balancing (GSLB), you must add the VIP to each gateway. This allows StoreFront to identify multiple gateways which all use the same URL (GSLB domain name) as distinct gateways. For example, three gateways may be configured for the store with the same URL such as
https://gslb.domain.combut would each have unique VIPs configured such as 10.0.0.1, 10.0.0.2 and 10.0.0.3.
If you are adding an appliance running Citrix Gateway, select from the Logon type list the authentication method you configured on the appliance for Citrix Workspace app users.
- If users are required to enter their Microsoft Active Directory domain credentials, select Domain.
- If users are required to enter a tokencode obtained from a security token, select Security token.
- If users are required to enter both their domain credentials and a tokencode obtained from a security token, select Domain and security token.
- If users are required to enter a one-time password sent by text message, select SMS authentication.
- If users are required to present a smart card and enter a PIN, select Smart card.
If you configure smart card authentication with a secondary authentication method to which users can fall back if they experience any issues with their smart cards, select the secondary authentication method from the Smart card fallback list.
If you are configuring StoreFront for Citrix Gateway and want to use Smart Access, then you must type a Callback URL. StoreFront automatically appends the standard portion of the URL. Enter the internally accessible URL of the appliance. StoreFront contacts the Citrix Gateway authentication service to verify that requests received from Citrix Gateway originate from that appliance.
When using GSLB, we recommend that you configure unique callback URLs for each of your GSLB gateways. StoreFront must be able to resolve each of the unique Callback URLs to the private VIPs configured for each of the GSLB gateway virtual servers. For example,
apacgateway.domain.comshould resolve to the correct gateway VIP.
Click Create to add your Citrix Gateway appliance to the list in the Remote Access Settings dialog box.
Information about the configuration of your Citrix Gateway appliances is saved to the .cr provisioning file for the store. This enables Citrix Workspace app to send the appropriate connection request when contacting appliances for the first time.
- Return to Step 10 in the “Create a new deployment” procedure at the top of this article.