Product Documentation

Using WebFront to Integrate with StoreFront

Jul 28, 2015

Overview

WebFront on NetScaler is a new feature that provides the following functionalities:
• Receiver for Web Proxy
• Transparent SSO
• DS – PNA protocol conversion
 

Receiver for Web Proxy

Receiver for Web Proxy (RfWeb) provides a way for web browsers to communicate with a store in StoreFront. Functionally, it is the same as RfWeb in StoreFront with a few optimizations like caching and packet flow optimization.

Transparent Single Sign On (SSO)

Native Citrix Receivers currently require a minimum of 12 HTTP transactions with StoreFront to perform resource enumeration. Along with this, an authentication token size of 4K is carried along with each HTTP request. WebFront optimizes this by reducing the number of transactions from 12 to 2 and prevents the sending of the token by proxy.

DS – PNA protocol conversion

The DS – PNA protocol conversion enables newer Citrix Receiver/ Browser RfWeb UI [communicating in DS (Discovery Services) protocol] to access resources from old Web Interface backend [Communicating in NFuse/PNA (Program Neighborhood Agent) protocol].

Functionality

Receiver for Web Proxy

The RfWeb Proxy used with the Tomcat Web Server performs the following things:
1. Serve static content (HTML, CSS, JS, Static Icons, etc.) to web browsers
2. Provides the following services:
Lists all applications in the store. The information returned is in JSON format.
• Gets information for an application specified by the application ID. The information returned is in JSON format.
• Gets an application icon specified by the icon ID. Icons are returned in PNG format.
• Gets the launch information for a given HDX application specified by the application ID. The response is in the form of an ICA file.
• Supports launching web/SaaS apps.
• Powers off desktops.
• Assign desktops.
• Subscribes to a given application specified by the application ID and the position in the subscribed application list.
• Unsubscribes a given application specified by the application ID.
• Updates subscription position for a given application specified by the application ID.
Workspace Control actions:
o Listing available sessions (includes active sessions)
o Launching sessions
o Disconnecting user sessions
o Logging off user sessions

1. Perform Single Sign On (SSO) with StoreFront using credentials from Gateway, and stores the token in the Tomcat Session cache to reuse for subsequent requests.

2. Support launch of ICA apps through HTML5 Receiver client.

Icon and Static content caching

Icon and static content caching: This is done using Integrated Caching feature of NetScaler. This does not require an IC license; only a VPN license is sufficient. This is implemented along the same lines as cache policies for VPN login pages. Caching is achieved through the following Cache ContentGroup and Cache Policy:
add cache contentGroup WFstaticobjects -relExpiry 3600 -maxResSize 16000 -memLimit 128
add cache policy _cacheWFStaticObjects -rule 'HTTP.RES.HEADER("X-Via- WebFront").EQ("true") && CLIENT.TCP.DSTPORT.EQ(8080) &&
HTTP.RES.CACHE_CONTROL.IS_PUBLIC' -action CACHE -storeInGroup WFstaticobjects
The cache policy _cacheWFStaticObjects is bound to a VPN virtual server automatically when an add vpn virtual server command is executed.

Packet flow optimization

Direct StoreFront scenario

localized image

Via WebFront Scenario

localized image

Transparent SSO

Transparent SSO (single sign on) is applicable only for native Citrix Receivers. WebFront proxies the received request to StoreFront, and inserts the appropriate service token if present. If the response is 200, we send the response back to the client. If the response is a 401, we perform SSO using the DS authentication flow. After authentication, we store the primary and secondary auth tokens in the session cache to reuse for subsequent requests. The Citrix Receiver does not authenticate for StoreFront separately. We avoid using the two 4k tokens (primary & secondary).

StoreFront Authentication Flow (Pass-through from UG)

localized image

Example packet sequence via WebFront

localized image

Design

localized image

WebFront is designed as a Java Webapp, which runs on the Tomcat v6, hosted on NetScaler. WebFront is developed using Spring MVC v3.1.2. WebFront is designed to work via Gateway with SSO on ONLY.

Components

WebFront is designed to work via Gateway with SSO on ONLY. WebFront has the following components described in this section.

Controller Dispatchers

  • Browser Controller: Handles all requests from browsers.
  • Native Controller: Handles all requests from Native Citrix Receivers.

Service Layer

  • Receiver for Web – The service does SSO, forms DS requests to StoreFront, stores Tokens,
    XML to JSON conversion etc. for browser case.
  • TransparentSSO – The service does SSO, forwards client requests to StoreFront, stores Tokens, etc. for Citrix Receiver.
  • DS – PNA convertor – The service does SSO, converts DS to PNA protocol and sends request to Web Interface, etc.

Building Blocks

  • XML to JSON convertor: Used by RfWeb to convert XML received from StoreFront to JSON - understood by the JavaScript in the browser.
  • DS AuthManager: Performs the authentication and SSO with StoreFront, fetches primary and secondary tokens and stores in the Session Cache.
  • DS protocol Request/Response Handler: This forms the DS request, and parses the DS response.

HTTP/HTTPS Connector

  • HTTP/HTTPS Client that connects to the StoreFront/Web Interface.

High Availability behavior

High availablity behavior is supported.

Cluster behavior

Currently cluster behavior is not supported.

Configuration

Install WebFront

  1. Go to System>WebFront. Select Install WebFront  from the Getting Started heading.
localized image

2. Get the JRE TAR files for installation. Select the Download JRE link at the bottom of the page for the JRE TAR file.

localized image

4. Select WebFront on NetScaler Gateway 11.0 Download button.

localized image

5. Read the Download Agreement and check the box stating your compliance. Then, click the Accept button.

localized image

6. See the WebFront TAR file in the left hand corner.

localized image

7. From the WebFront Browse button, select Local. Then, select the WebFront TAR file. From the JRE Browse button, select Local. Then, select the JRE TAR file. Click Install.

localized image

The following screen confirms that the installation was completed successfully.

localized image

WebFront Wizard

1. Go to System>WebFront. Select WebFront Wizard from the Getting Started heading.

localized image

2. The following screen appears. The fields with asterisks are mandatory.
Enter mandatory information and Click Continue.

localized image

3. Complete all mandatory fields. Verify and click Continue.

localized image

4. Verify data and click Done.

localized image

NetScaler Gateway Virtual Server

This section describes the options to select a NetScaler Gateway Virtual Server.

1. Select a virtual server that is already configured for your device. See Select a Configured Virtual Server for more information.

2. Configure a new virtual server. See Configured Virtual Server for more information.

localized image

Select a Configured Virtual Server

1. Select a configured virtual server from the pull-down menu.

localized image

Configure a Virtual Server

1.     Specify the NetScaler Gateway IP Address.

2.     Specify the port.

3.     Assign the virtual server a name.

4.     Check this box to enables NetScaler Gateway to redirect HTTP connections to an HTTPS secure connection.

5.     Click the Continue button.

localized image

Trust SSL Certificate

By selecting the Browse button, you can select a certificate from the appliance or from your local directory.

1.     From the appliance, select a certificate from the list and click Open.

localized image

Uninstall WebFront

1. Go to System>WebFront. Select Uninstall WebFront from the Getting Started heading.

localized image

2. Click Yes.

localized image

WebFront Sites

1. Go to System>WebFront. Select WebFront Sites from the Configuration Summary.

localized image

2. The WebFront Sites allows the following the site operations:
• Add – For detailed information see Add WebFront Sites.
• Edit – For detailed information see Edit WebFront Sites.
• Delete – For detailed information see Delete WebFront Sites.
 

Add WebFront Sites

1. Click the Add button to insert a new site.

localized image

1. The following screen appears. The mandatory fields indicated by an asterisk.
Click Continue.

localized image

3. Create the VPN Session Action. The mandatory fields indicated by an asterisk. Add a name for the action, and verify the information. Click Continue.

localized image

4. Shown is a summary of the complete configuration. Verify and click Done.

localized image

Edit WebFront Sites

1.  Select a Web Front site, and then click the Edit button to revise the configuration.

localized image

2. Click on the pencil.

localized image

3.     Revise the configuration. Click Continue.

localized image

4. The following screen appears. An asterisk indicates the mandatory fields. Click Continue.

localized image

5. Shown is a summary of the complete configuration. Verify and click Done.

localized image

Delete WebFront Sites

1. Select the site you want to delete. Click the Delete button to remove the site.

localized image

2 Click Yes.

localized image