Configure two URLs for the same Citrix Gateway

In StoreFront, you can add a single Citrix Gateway URL from the StoreFront management console in Manage Citrix Gateways > Add or Edit. It is also possible to add both a public Citrix Gateway URL and a GSLB (Global Server Load Balancing) URL in Manage Citrix Gateways > imported from file.

This article shows you how to use PowerShell cmdlets and the StoreFront PowerShell SDK to use an optional parameter, -gslburl, to set the GslbLocation attribute of a gateway. This feature simplifies the Citrix Gateway administration in StoreFront in the following use cases:

  1. GSLB and multiple Citrix Gateways. Use GSLB and multiple Citrix Gateways to load balance remote connections to published resources in two or more locations within a large global Citrix deployment.
  2. Single Citrix Gateway using a public or private URL. Use the same Citrix Gateway for external access using a public URL, and for internal access using a private URL.

This is an advanced feature and topic. If you are new to StoreFront gateway and Global Server Load Balancing (GSLB) concepts, see the Related information links at the end of this article.

This feature offers the following benefits:

  • Support two simultaneous URLs for a single gateway object.
  • Users can switch between two different URLs to access the Citrix Gateway without the administrator reconfiguring the StoreFront gateway object to match the gateway URL the user wants to use.
  • Shorter setup and test times to validate the StoreFront gateway configuration when using multiple GSLB gateways.
  • Use the same Citrix Gateway object in StoreFront inside the DMZ for both external and internal access.
  • Support both URLs for optimal gateway routing. For more information on optimal gateway routing, see Set up highly available multi-site stores.

Deployment considerations when using two Gateway URLs

  • The gatewayURL FQDN is displayed for each gateway within the StoreFront admin console. The GSLBURL property of each gateway is only visible via the use of PowerShell cmdlets.
  • The gatewayURL is used by native Citrix Receivers and Citrix Workspace apps for authentication.
  • The gatewayURL is included in the location tag within the provisioning file (receiver.cr) used to configure Citrix Receivers and Citrix Workspace apps with store and gateway information.
  • Use the provided Powershell to modify Store and Roaming web.config files. Do not do this manually.

Important:

Before configuring a second gateway URL using the -gslburl parameter, review what server certificates you have in place and how your organization performs DNS resolution. Any URLs that you want to use in your Citrix Gateway and StoreFront deployment must be present in your server certificates. For more information about server certificates, see Plan gateway and server certificate usage.

DNS

  • Split DNS. It is common for large enterprises to use split DNS. Split DNS involves using different namespaces and different DNS servers for public and private DNS resolution. Check if you have the existing DNS infrastructure to support this.
  • Single URL for external and internal access to published resources. Decide if you want to use the same URL to access published resources from both outside and inside your corporate network, or consider if two different URLs are acceptable such as example.com and example.net.

Server certificate examples

This section contains example server certificate deployments when using two Gateway URLs.

Example server certificate for a load balanced StoreFront deployment

A privately signed wildcard server certificate should contain the FQDN *.storefront.example.net.

Or

A privately signed SAN server certificate should contain all the FQDNs needed to load balance three StoreFront servers.

loadbalancer.storefront.example.net
server1.storefront.example.net
server2.storefront.example.net
server3.storefront.example.net

Set the host base URL of the StoreFront server group to be the shared FQDN, which resolves to the load balancer IP address:

loadbalancer.storefront.example.net

Example server certificate for a Citrix Gateway which is accessed both externally and internally using split DNS

A publically signed SAN server certificate for both external and internal access should contain both the external and internal FQDNs.

gateway.example.com
gateway.example.net

Example server certificate for all GSLB Gateways which are accessed externally

A publically signed SAN server certificate for external access through GSLB should contain the FQDNs.

gslbdomain.example.com
emeagateway.example.com
usgateway.example.com
apacgateway.example.com

This allows the user to access the closest gateway using GSLB or to pick a gateway in the location of their choice using its unique FQDN.

Use Case #1: Receiver for Web: GSLB and multiple Citrix Gateways

The administrator uses GSLB and multiple Citrix Gateways to load balance remote connections to published resources in two or more locations within a large global Citrix deployment.

GSLB and multiple Citrix Gateways

In this example:

  • Each location or data center contains at least one gateway, one or more StoreFront servers, and one or more XenApp and XenDesktop Controllers to provide published resources for that location. Each GSLB service configured on the GSLB Citrix ADC Appliances within the global deployment represents a gateway VPN vServer. All of the StoreFront servers in the deployment must be configured to contain all of the Citrix Gateway virtual servers that make up the GSLB layer. The GSLB Citrix Gateways are used in active/active mode but can also provide failover if the network connection, DNS, gateway, StoreFront server or Citrix Virtual Apps and Desktops Controllers at one location fail. Users are automatically directed to another gateway if a GSLB service is unavailable.
  • External clients are directed to the closest gateway based on the configured GSLB load balancing algorithm such as round trip time (RTT) or Static Proximity when making remote connections.
  • The unique URL for each gateway allows users to manually select which data center they want to launch resources from by choosing the location-specific URL for the gateway they want to use.
  • GSLB can be bypassed when GSLB or a DNS delegation is not working as expected. Users can continue to access remote resources at any data center using its location-specific URL until any GSLB related issues are resolved.

Use Case #1: Receiver for Web, and Citrix Receivers or Citrix Workspace apps: GSLB and multiple Citrix Gateways

Gateway attributes

To use GSLB with native Citrix Receivers or Citrix Workspace apps, use Add-STFRoamingGateway (create) or Set-STFRoamingGateway (modify) to specify the following attributes:

-GatewayUrl — set as the shared FQDN for all GSLB gateways

-GSLBurl — set as the unique gateway FQDN for each gateway

Note:

This may seem counterintuitive but it has no impact on this web use case. It ensures that native Citrix Receivers or Citrix Workspace apps receive the shared FQDN used by GSLB within the discovery document found by accessing the endpoint https://storefront.domain.com/citrix/<storename>/discovery. It also ensures that the provisioning file (receiver.cr ) exported by StoreFront’s Export Provisioning File command contains the shared GSLB FQDN.

Example provisioning files

Example file 1 using -GatewayUrl https://gslb.domain.com. This allows native Citrix Receivers or Citrix Workspace apps to use GSLB to connect to gateways.

Allows native Citrix Receivers or Citrix Workspace apps to use GSLB to connect to gateways

Example file 2 using -GatewayUrl https://emeagateway.domain.com, https://usgateway.domain.com and https://apacgateway.domain.com. This allows native Citrix Receivers or Citrix Workspace apps to use the unique URLs to connect to gateways.

Allows native Citrix Receivers or Citrix Workspace apps to use the unique URLs to connect to gateways

The shared FQDN is used for authentication by native Citrix Receivers and Citrix Workspace apps.

Use Case #2: Single Citrix Gateway using a public or private URL

The administrator uses the same Citrix Gateway for both external access using a public URL, and also internally using a private URL.

Single Citrix Gateway using a public or private URL

In this example:

  • The administrator wants all access to published resources and HDX launch traffic to pass through a Citrix Gateway even if the client is internal.
  • The Citrix Gateway is located in a DMZ.
  • There are two different network routes to the Citrix Gateway through the two firewalls on either side of the DMZ.
  • The public-facing, external namespace is different from the internal namespace.

PowerShell cmdlet examples

Use the PowerShell cmdlets Add-STFRoamingGateway and Set-STFRoamingGateway with the parameter, -gslburl, to set the GslbLocation attribute on the StoreFront gateway object. For example:

Add-STFRoamingGateway -Name "EMEAGateway" -GatewayUrl "https://emeagateway.example.com" -GSLBurl "https://gslb.example.com" -SubnetIPAddress "10.0.0.1" -CallbackUrl "https://emeagateway.example.com" -LogonType "DomainAndRSA" -SmartCardFallbackLogonType "None" -Version "Version10_0_69_4" -SecureTicketAuthorityUrls "https://emea-controller.example.com/scripts/ctxsta.dll,https://us-controller.example.com/scripts/ctxsta.dll,https://apac-controller.example.com/scripts/ctxsta.dll"
Set-STFRoamingGateway -Name "EMEAGateway" -GatewayUrl "https://emeagateway.example.com" -GSLBurl "https://gslb.example.com"
Get-STFRoamingGateway -Name "EMEAGateway" (returns just the EMEA gateway object)
Or
Get-STFRoamingGateway (returns all gateway object configured in StoreFront)

For use case #1, you can remove the GSLBurl from the “EMEAGateway” by setting its GslbLocation to NULL. The following PowerShell modifies the gateway object $EMEAGateway stored in memory. Set-STFRoamingGateway can then be passed $EMEAGateway to update the StoreFront config and remove the GSLBurl.

$EMEAGateway = Get-STFRoamingGateway
$EMEAGateway.GslbLocation = $Null
Set-STFRoamingGateway -Gateway $EMEAGateway

For use case #1, the following gateways are returned using Get-STFRoamingGateway:

Name: EMEAGateway
Location: https://emeagateway.example.com/ (Unique URL for the EMEA Gateway)
GslbLocation: https://gslb.example.com/ (GSLB URL for all three gateways)

Name: USGateway
Location: https://USgateway.example.com/ (Unique URL for the US Gateway)
GslbLocation: https://gslb.example.com/ (GSLB URL for all three gateways)

Name: APACGateway
Location: https://APACgateway.example.com/ (Unique URL for the APAC Gateway)
GslbLocation:  https://gslb.example.com/ (GSLB URL for all three gateways)

For use case #2: the following gateways are returned using Get-STFRoamingGateway:

Name: EMEAGateway
Location: https://emeagateway.example.com/ (Public URL for the Gateway)
GslbLocation: https://emeagateway.example.net/ (Private URL for the Gateway)

For use case #1, Optimal Gateway Routing is returned using Get-STFStoreRegisteredOptimalLaunchGateway:

$StoreObject = Get-STFStoreService -SiteId 1 -VirtualPath "/Citrix/<YourStore>"

Get-STFStoreRegisteredOptimalLaunchGateway -StoreService $StoreObject

Hostnames:       {emeagateway.example.com, gslb.example.com}
Hostnames:       {usgateway.example.com, gslb.example.com}
Hostnames:       {apacgateway.example.com, gslb.example.com}

GSLB URL or Internal URL for each Gateway is stored in the Roaming service web.config file

StoreFront does not display the GSLB URL or internal URL for each Gateway within the StoreFront management console, however it is possible to view the configured GSLBLocation path for all GSLB gateways by opening the roaming service Web.Config file location in C:\inetpub\wwwroot\Citrix\Roaming\web.config on the StoreFront server.

Use Case #1 Gateways in Roaming web.config file

<gateway id="cca13269-18c1-10fd-a0df-7931b3897aa8" name="EMEAGateway" default="false" edition="Enterprise" version="Version10_0_69_1" auth="DomainAndRSA" smartcardfallback="None" ipaddress="10.0.0.1" rwmode="NONE" deployment="Appliance" callbackurl=https://emeagateway.example.com/CitrixAuthService/AuthService.asmx sessionreliability="true" requesttickettwosta="false" stasUseLoadBalancing="false" stasBypassDuration="01:00:00">
<location path="https://emeagateway.example.com/" /><gslbLocation path="https://gslb.example.com/" /><clusternodes>
<clear />
</clusternodes>
<silentauthenticationurls>
<clear />
</silentauthenticationurls>
<secureticketauthorityurls>
<clear />
<location path="https://emea-controller.example.com/scripts/ctxsta.dll" />
<location path="https://us-controller.example.com/scripts/ctxsta.dll" />
<location path="https://apac-controller.example.com/scripts/ctxsta.dll" />
</secureticketauthorityurls>
</gateway>

<gateway id="b8ec720c-d85e-1889-8188-1cf08a2cf762" name="USGateway" default="false" edition="Enterprise" version="Version10_0_69_1" auth="DomainAndRSA" smartcardfallback="None" ipaddress="10.0.0.2" rwmode="NONE" deployment="Appliance" callbackurl="https://usgateway.example.com/CitrixAuthService/AuthService.asmx" sessionreliability="true" requesttickettwosta="false" stasUseLoadBalancing="false" stasBypassDuration="01:00:00"><location path="https://usgateway.example.com/" /><gslbLocation path="https://gslb.example.com/" /><clusternodes>
<clear />
</clusternodes>
<silentauthenticationurls>
<clear />
</silentauthenticationurls>
<secureticketauthorityurls>
<clear />
<location path="https://emea-controller.example.com/scripts/ctxsta.dll" />
<location path="https://us-controller.example.com/scripts/ctxsta.dll" />
<location path="https://apac-controller.example.com/scripts/ctxsta.dll" />
</secureticketauthorityurls>
</gateway>

<gateway id="c57117b5-e111-1eed-9117-a1ffa1c8100e" name="APACGateway" default="false" edition="Enterprise" version="Version10_0_69_1" auth="DomainAndRSA" smartcardfallback="None" ipaddress="10.0.0.3" rwmode="NONE" deployment="Appliance" callbackurl="https://apacgateway.example.com/CitrixAuthService/AuthService.asmx" sessionreliability="true" requesttickettwosta="false" stasUseLoadBalancing="false" stasBypassDuration="01:00:00"><location path="https://apacGateway.example.com/" /><gslbLocation path="https://gslb.example.com/" /><clusternodes>
<clear />
</clusternodes>
<silentauthenticationurls>
<clear />
</silentauthenticationurls>
<secureticketauthorityurls>
<clear />
<location path="https://emea-controller.example.com/scripts/ctxsta.dll" />
<location path="https://us-controller.example.com/scripts/ctxsta.dll" />
<location path="https://apac-controller.example.com/scripts/ctxsta.dll" />
</secureticketauthorityurls>
</gateway>

Use Case #2: Gateways in Roaming web.config file

<gateway id="cca13269-18c1-10fd-a0df-7931b3897aa8" name="EMEAGateway" default="false" edition="Enterprise" version="Version10_0_69_1" auth="Domain" smartcardfallback="None" ipaddress="10.0.0.1" rwmode="NONE" deployment="Appliance" callbackurl="https://emeagateway.example.com/CitrixAuthService/AuthService.asmx" sessionreliability="true" requesttickettwosta="false" stasUseLoadBalancing="false" stasBypassDuration="01:00:00">
<location path="https://emeagateway.example.com/" />
<gslbLocation path=" https://emeagateway.example.net/" />
<clusternodes>
<clear />
</clusternodes>
<silentauthenticationurls>
<clear />
</silentauthenticationurls>
<secureticketauthorityurls>
<clear />
<location path="https://emea-controller.example.net/scripts/ctxsta.dll" />
</secureticketauthorityurls>
</gateway>

In Developer Documentation see Citrix StoreFront SDK PowerShell Modules.