Integrate with Citrix Gateway and Citrix ADC

Use Citrix Gateway with StoreFront to provide secure remote access for users outside the corporate network and Citrix ADC to provide load balancing.

Plan gateway and server certificate usage

Integrating StoreFront with Citrix Gateway and Citrix ADC requires a plan for gateway and server certificate usage. Consider which Citrix components are going to require server certificate(s) within your deployment:

  • Plan to obtain certificates for Internet-facing servers and gateways from external certificate authorities. Client devices may not automatically trust certificates signed by an internal certificate authority.
  • Plan for both external and internal server names. Many organizations have separate namespaces for internal and external use—such as example.com (external) and example.net (internal). A single certificate can contain both of these kinds of name by using the Subject Alternative Name (SAN) extension. This is not normally recommended. A public certificate authority will only issue a certificate if the top-level domain (TLD) is registered with IANA. In this case, some commonly used internal server names (such as example.local) cannot be used, and separate certificates for external and internal names are required anyway.
  • Use separate certificates for external and internal servers, where possible. A gateway may support multiple certificates, either by binding a different certificate to each interface.
  • Avoid sharing certificates between Internet-facing and non-Internet-facing servers. These certificates are likely to be different—with different validity periods and different revocation policies than certificates issued by your internal certificate authorities.
  • Share “wildcard” certificates only between equivalent services. Avoid sharing a certificate between different types of server (for example StoreFront servers, and other kinds of servers). Avoid sharing a certificate between servers which are under different administrative control, or which have different security policies. Typical examples of servers which provided equivalent service are:
    • A group of StoreFront servers and the server that performs load balancing between them.
    • A group of Internet-facing gateways within GSLB.
    • A group of Citrix Virtual Apps and Desktops controllers, which provide equivalent resources.
  • Plan for hardware-secured private key storage. Gateways and servers, including some Citrix ADC models, can store the private key securely within a hardware security module (HSM) or Trusted Platform Module (TPM). For security reasons, these configurations are not usually intended to support sharing of certificates and their private keys, Consult the documentation for the component. If implementing GSLB with Citrix Gateway, this may require each gateway within GSLB to have an identical certificate, which contains all the FQDNs you wish to use.

For more information about securing your Citrix deployment, see the white paper End-To-End Encryption with Citrix Virtual Apps and Desktops and the Citrix Virtual Apps and Desktops Secure section.

Configure StoreFront Log On when authentication is disabled on Citrix Gateway VIP

Log on to StoreFront when authentication is disabled on Citrix Gateway VIP. This procedure works in two scenarios: Internal networks. App launch fails from remote locations because STAs cannot be used when authentication is disabled on the Citrix Gateway if the X-Citrix-Gateway header is getting passed to StoreFront. Citrix Receiver for Web. Receiver clients do not authenticate if authentication is not enabled at the Citrix Gateway VIP.

Changes on the StoreFront Server

  1. Disable the Require Token Consistency field:
    • StoreFront 3.0
      1. Edit the web.config file for the store website. For example, if a StoreFront store name is NoAuth, the web.config file in the StoreFront server has the path inetpub\wwwroot\Citrix\NoAuth.
    1. Locate the following line in the web.config file and change the value from True to False. Before <resourcesGateways requireTokenConsistency="true"> After <resourcesGateways requireTokenConsistency="false">

      Note:

      On StoreFront 3.x, Require Token Consistency is a checkbox in the GUI. For more information, see Advanced store settings.

    2. Save the web.config file and then restart the IIS service.

  2. Open the Citrix StoreFront Management console.

  3. Click Manage Receiver for Web Sites for the web.

  4. Select the corresponding Citrix Receiver for Web site, click Configure and then select Authentication Methods.

  5. Ensure that the Pass-through from Citrix Gateway option is cleared.

Note:

Citrix Gateway and Enable Remote Access are assumed to be set up on the StoreFront server.

Changes on the Citrix Gateway

  1. Open the Citrix Gateway virtual server.

  2. Click the Authentication tab and ensure that Enable Authentication check-box is cleared.

  3. Bind the corresponding session policy to the Citrix Gateway virtual server.

  4. Test the connection.