Product documentation
StoreFront
2503.1-Current Release 2402 LTSR 2203 LTSR
View PDF

Securing StoreFront with HTTPS

April 16, 2025
Contributed by: 
C

Citrix strongly recommends securing communications between StoreFront and users’ devices using HTTPS. This ensures that passwords and other data sent between the client and StoreFront are encrypted. Furthermore, plain HTTP connections can be compromised by various attacks, such as man-in-the-middle attacks, particularly when connections are made from insecure locations such as public Wi-Fi hotspots. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications.

Depending on your configuration, users may access StoreFront via a gateway or load balancer. You can terminate the HTTPS connection at the gateway or load balancer. However in this case Citrix still recommends that you secure connections between the gateway, load balancer and StoreFront using HTTPS.

If StoreFront is not configured for HTTPS it displays the following warning:

Status warning "Service using HTTP not HTTPS"

Create or import certificate

  • Ensure that the StoreFront base URL is included in the DNS field as Common Name or Subject Alternative Name (SANs). When using a load balancer in front of your StoreFront servers, it is recommended that you include both the server FQDN and the load balancer FQDN as SANs. This allows you to connect directly to a specific StoreFront server for troubleshooting.

  • Sign the certificate using an enterprise root CA for your organization or a public CA.

  • If users access StoreFront via a load balancer or gateway, then the certificate only needs to be trusted by the load balancer or gateway. If users connect directly to the StoreFront server then the clients must trust the certificate.

You must create or import a certificate into the Personal certificate store within Windows. To view installed certificate:

  1. Open IIS Information Services (IIS) Manager.
  2. In the Connections pane, select the server.
  3. Open Server Certificates.

For more information on managing certificates, see Manage certificates.

Configure IIS for HTTPS

To configure Microsoft Internet Information Services (IIS) for HTTPS on the StoreFront server:

  1. In the tree view on the left select Default Web Site (or the appropriate website)

  2. In the Actions pane click Bindings…

    Screenshot of IIS management server Default Web Site Home screen highlighting bindings link

  3. In the bindings window click Add…

  4. In the Type drop down select https

  5. On Windows Server 2022 or above, click Disable Legacy TLS to disable TLS older than 1.2.

    On older Windows Server versions, you can disable legacy TLS versions using Windows registry settings, see Windows Server Documentation.

  6. Select the certificate previously imported. Press OK

    Screenshot of Add Site Binding window

  7. To remove HTTP access, select HTTP and click Remove.

    Screenshot of Site Bindings window

  8. Update the base url to use the https protocol.

HSTS

The user’s client device is vulnerable even after you enable HTTPS on the server side. For example, a man-in-the-middle attacker could spoof the StoreFront server and trick the user into connecting to the spoof server over plain HTTP. They could then get access to sensitive information such as the user’s credentials. The solution is to ensure that the user’s browser doesn’t attempt to access the server over HTTP. You can achieve this with the HTTP Strict Transport Security (HSTS).

When HSTS is enabled, the server indicates to web browsers that requests to the web site should only ever be made over HTTPS. If a user attempts to access the URL using HTTP, the browser will automatically switch to using HTTPS instead. This ensures client-side validation of a secure connection as well as the server-side validation in IIS. The web browser maintains this validation for a configured period.

Note:

Enabling HSTS affects all web sites on the same domain. For example, if the website is accessible at https://www.company.com/Citrix/StoreWeb, then the HSTS policy will apply to all web sites under https://www.company.com, which might not be desired.

There are a number of options for enabling HSTS.

Option 1 - IIS

On Windows Server 2019 and above you can configure HSTS in IIS.

  1. Open Internet Information Services (IIS) Manager.
  2. Select Default Web Site (or the appropriate website).
  3. In the Actions pane on the right hand side, click HSTS….
  4. Select Enable.
  5. Enter a max age, e.g. 31536000 for one year.
  6. Optionally select Redirect HTTP to HTTPS.
  7. Press OK

Screenshot of HSTS setting

Option 2 - StoreFront management console

For each store website:

  1. Select the store and click Manage websites.
  2. Select the website and click Configure…
  3. Go to the Advanced Settings tab
  4. Select Enable strict transport security.
  5. Update Strict transport security policy duration to the required value.
  6. Click OK.

Option 3 - NetScaler load balancer

If you are using a NetScaler load balancer in front of your StoreFront servers then you can configure HSTS on the virtual server. For more information, see NetScaler documentation.

Securing StoreFront with HTTPS
April 16, 2025
Contributed by: 
C
April 16, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.