Product Documentation

Extending the Life of Your Legacy Web Applications by Using Citrix Secure Browser

Jan 13, 2017

In the world of web applications and frameworks, diversity must be embraced. Different types of users, groups and companies need access to the right tools, applications, and permissions to connect to web-enabled business applications. In most cases, there are compliance factors that dictate how to access these applications. Businesses that need to support older subsystems, with older browser frameworks, face a difficult task to provide adequate access and meet compliance requirements for business critical apps. The following document describes how to utilize Citrix Secure Browser to extend access and the life of your legacy web applications and browsers while you create an update and migration strategy.

The solution requires the publishing of a compliant browser that allows access for external or internal users regardless of how the user connects or the browser they use to connect to the internal site. This solution utilizes XenDesktop Server OS VDA, StoreFront, NetScaler Gateway and XenApp Secure Browser. Users redirect compliant browsers or end-points to use a native browser when it meets all requirements set by the IT administrator; and if the policy detects a non-compliant browser or end-point, redirects the user to a remote containerized published browser session. Users only need to know one URL per resource (which reduces training and support costs) regardless of how they are connecting to the environment.


The following section explains how users access the internal site regardless of whether the user is connecting from an internal or external network. In the scenario, one browser type (Internet Explorer) is the compliant browser and another (Google Chrome) as the non-compliant. It is up to each company to determine how and which browsers map to the compliance policy.

For this solution we assume that NetScaler Gateway is configured for external access to published applications, this is represented in Figure 1 as Gateway vServer 1. The second virtual server (Gateway vServer 2) redirects users to launch the HTML5 Receiver session for Secure Browser.

Use Case

There is a need to maintain legacy web applications that are no longer supported by current browsers. In this case, IT still has to maintain a website designed for Internet Explorer 8 and the vendor no longer release enhancements to support new or other browsers. To solve this problem, the IT administrator publishes a Secure Browser to allow users that meet the browser requirements to access the site. The diagram below explains each connection in the workflow for internal and external users.

localized image

Connectivity Workflow

  1. Every user enters the site URL that resolves from an external DNS server, in our example,
  2. The browser connects to the NetScaler Gateway load balancer and determines compliance requirements.
  3. When the browser is non-compliant, both internal and external users redirect to the NetScaler Gateway virtual server. When the browser is compliant, NetScaler Gateway proxies the connection to the internal site through the load balancer for external users and redirects the local browser to the site for internal users.
  4. The virtual server auto-starts a session enumerated by StoreFront.
  5. StoreFront contacts the XenDesktop Controller for session information and routing.
  6. The session initiates through the Secure Browser desktop group; in this case, it is a Server OS VDA with a published compliant browser.
  7.  The session connects through the ICA Proxy on the NetScaler Gateway appliance.
  8. Citrix Receiver for HTML5 establishes the user's session within the native browser.
  9. The internal site appears through the Secure Browser session with Citrix Receiver for HTML5.

Setup and Configuration

This section shows how to implement the solution for current XenDesktop environments with NetScaler Gateway remote connectivity.

Solution Requirements

The setup requires the installation and configuration of the following components:

  • XenDesktop Desktop Controller server
  • Citrix StoreFront server with a Store configured for external access
  • NetScaler Gateway with a XenDesktop Virtual Server
  • Server OS VDA with using the installed browser as the Secure Browser
  • External DNS address that points to a new NetScaler load balancer
  • External DNS address that points to a new NetScaler Gateway virtual server


XenDesktop Desktop Controller

localized image
localized image
localized image
localized image

Add the Server OS VDA to a new machine catalog named Secure Browser Catalog.




Create a delivery group for Secure Browser Catalog and publish Internet Explorer. In the command line parameters, type -k <URL of Internal Site>. The -k parameter is to open Internet Explorer in Kiosk Mode. In this example, we are publishing Internet Explorer 8 and using an internal site for the URL.

You can assign the delivery group to specific users and groups. You do not need to add desktop access if it is not needed for the use case.


On the Server OS VDA, install a server or client authentication certificate, which enables SSL on the Controller and VDA communication.

Mount XenDesktop 7.6 or later install media. Open a PowerShell command window, then run %MediaDrive%:\Support\Tools\SslSupport\Enable-VdaSSL.ps1 –Enable

Restart the Server OS VDA instance.


On XenDesktop Controller, open a PowerShell command window and run the command ASNP Citrix*.

Run the following three commands to enable the broker to VDA secure communication:

Get-BrokerAccessPolicyRule –DesktopGroupName ‘Secure Browser Desktop Group’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $true

Set-BrokerSite –DnsResolutionEnabled $true

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true


localized image
localized image
localized image
localized image
localized image
localized image
localized image
localized image
localized image
localized image

Create a new Store called SecureBrowser and select Allow only unauthenticated users to access this store. Traffic is authenticated since all users are passing a token from NetScaler Gateway to the controller.



Add the XenDesktop Controller.







Enable Remote Access and add a second NetScaler Gateway that you will configure in the following steps. For this configuration, you do not need to use the Callback or VIP address in the StoreFront / NetScaler Gateway configuration.

Finish creating the store by using the wizard defaults.


After creating the store, click Manage Receiver for Web Sites.








On the Manage Receiver for Web Sites page, click Configure, go to Website Shortcuts, add the internal web site URL and click on Get Shortcuts link.






Log on as a regular user with access to the published Secure Browser application.

Copy the URL for the Secure Browser app, and save it in a text file to use later in the NetScaler Gateway configuration.







Return to Edit Receiver for Web site properties, click Deploy Citrix Receiver and select Always use Receiver for HTML5. Select the option Launch applications in the same tab as Receiver for Web.






Click Workspace Control, in Logoff action, select Terminate. Clear the option Enable workspace control.






Click Client Interface Settings, clear the option Auto launch desktop and click OK to save the settings.







In a text editor, open the file C:\inetpub\wwwroot\Citrix\SecureBrowserWeb\web.config.

Find the setting <appShortcuts promptForUntrustedShortcuts="true">, set it to false and save the changes. Disabling this setting prevents StoreFront from asking users if they would like to launch the application.

NetScaler Gateway

localized image
localized image
localized image
localized image
localized image
localized image







localized image





localized image
localized image
localized image
localized image

In the NetScaler Gateway GUI, in the navigation pane, click XenApp and XenDesktop and then on the Dashboard, click Create New Gateway.






In the StoreFront properties, set the Site Path to /Citrix/SecureBrowserWeb and set the Store name to SecureBrowser as the new store in StoreFront server.

Continue the wizard and save the new virtual server.






On the NetScaler Gateway node, expand Policies and go to Session.

Select the Actions tab, edit the newly created action for the second virtual server, and then edit the AC_WB_ policy action.

On the Published Applications tab, paste the App Shortcuts URL that you saved previously in the Web Interface Address field and then click OK.


In the navigation pane, click the AppExpert node, expand the Responder section and then click Actions.

Add a new Action, name it Internal Connections, and set the type to Redirect.

In the Expression field, add the URL of the internal site to connect in quotes, such as ""

Click Create to save the action.

Add a new action, name it External Connections, and set the type to Redirect.

In the Expression field, add the URL of the second NetScaler Gateway virtual server surrounded by quotes, such as ""

Click Create to save the action.




Go to the Responder Policies node.

Add a new policy, name it Detect Browser Compliance, in the Action drop-down, select the External Connections action that you created previously.

Set Undefined-Result Action to NOOP.

In the Expression field, add the following text:

HTTP.REQ.HEADER("User-Agent").CONTAINS("AppleWebKit") || HTTP.REQ.HEADER("User-Agent").CONTAINS("Chrome") || HTTP.REQ.HEADER("User-Agent").CONTAINS("Firefox")

The expressions above detect browsers that are non-compliant, or in this use case not Internet Explorer.

Click Create to save the changes.

Add a new policy, name it Detect Client Source, set the Action to Internal Connections action previously created.

Set Undefined-Result Action to NOOP.

In the Expression field, add the following text:


Replace or add each subnet above to match your internal network environment. The user agent, in this case, matches the configured version of Internet Explorer and that the client is connecting from the internal network.

Click Create to save the changes.

In the navigation pane, expand Traffic Management > Load Balancing, and then select Servers. Add the server used for hosting the internal site.

In the navigation pane, click Service Groups under Load Balancing, add a new service group, set the Protocol to SSL and bind the Server created in the previous step to the Service Group Members list.

Click Done.


In the navigation pane, click Virtual Servers in the Load Balancing node, click Add and name the server Intranet Site.

Set the Protocol to SSL, and type the IP address of the load balancer.

Bind the Service Group Internal Web Server created in the previous step and configure certificates for external access. Bind the internal root CA certificate to CA certificates so that the load balancer can offload SSL to the internal web server.

In the details pane, in Advanced settings, click + Policies. Click on the plus (+) sign to bind a new policy.

Select Responder for Choose Policy and click Continue. Select Detect Client Source and set the priority to 100.

Click Bind.


Click on the Responder policy section, click Add Binding, select Detect Browser Compliance and set the priority to 110. Click Bind.

Click Close and then click Done.

Save the NetScaler Gateway configuration.

Use Case Results and Expectations

This section reviews the use cases and expected results of how each user connects with the preceding configuration. In all of the following use cases, the user opens a locally installed browser and types the external URL of the training site.

localized image
localized image
localized image
localized image

External User with non-compliant browser

Expected Result: User launches Citrix Receiver session in a browser tab that renders the site with the published Secure Browser.






External User with compliant browser

Expected Result: NetScaler Gateway proxies the traffic between the local browser and the internal web site.





Internal User with non-compliant browser

Expected Result: User launches the Citrix Receiver session in a browser tab rendering the site with the published Secure Browser.






Internal User with compliant browser

Expected Result: The user session redirects to the internal site; NetScaler Gateway does not proxy the connection since the client is connecting from the internal network.

Known Limitations

  • Dynamic URL passing to the NetScaler Gateway virtual server does not support using Citrix Receiver for HTML5 for Secure Browser.
    • To pass a launch URL to the virtual server, disable ICA Proxy in the session profile. ICA Proxy is a requirement for Citrix Receiver for HTML5.
  • Citrix Receiver for HTML5 does not support content redirection.
    • Administrators can configure Citrix Receiver in StoreFront for websites.
  • Environments that have multiple separate sites, create different NetScaler Gateway session policies for each site and bind them to the virtual server or create an internal launch portal that can host URLs for the internal sites.