WebFront on NetScaler is a new feature that provides the following functionalities:
• Receiver for Web Proxy
• Transparent SSO
• DS – PNA protocol conversion
Receiver for Web Proxy (RfWeb) provides a way for web browsers to communicate with a store in StoreFront. Functionally, it is the same as RfWeb in StoreFront with a few optimizations like caching and packet flow optimization.
Transparent Single Sign On (SSO)
Native Citrix Receivers currently require a minimum of 12 HTTP transactions with StoreFront to perform resource enumeration. Along with this, an authentication token size of 4K is carried along with each HTTP request. WebFront optimizes this by reducing the number of transactions from 12 to 2 and prevents the sending of the token by proxy.
DS – PNA protocol conversion
The DS – PNA protocol conversion enables newer Citrix Receiver/ Browser RfWeb UI [communicating in DS (Discovery Services) protocol] to access resources from old Web Interface backend [Communicating in NFuse/PNA (Program Neighborhood Agent) protocol].
The RfWeb Proxy used with the Tomcat Web Server performs the following things:
1. Serve static content (HTML, CSS, JS, Static Icons, etc.) to web browsers
2. Provides the following services:
Lists all applications in the store. The information returned is in JSON format.
• Gets information for an application specified by the application ID. The information returned is in JSON format.
• Gets an application icon specified by the icon ID. Icons are returned in PNG format.
• Gets the launch information for a given HDX application specified by the application ID. The response is in the form of an ICA file.
• Supports launching web/SaaS apps.
• Powers off desktops.
• Assign desktops.
• Subscribes to a given application specified by the application ID and the position in the subscribed application list.
• Unsubscribes a given application specified by the application ID.
• Updates subscription position for a given application specified by the application ID.
Workspace Control actions:
o Listing available sessions (includes active sessions)
o Launching sessions
o Disconnecting user sessions
o Logging off user sessions
1. Perform Single Sign On (SSO) with StoreFront using credentials from Gateway, and stores the token in the Tomcat Session cache to reuse for subsequent requests.
2. Support launch of ICA apps through HTML5 Receiver client.
Icon and Static content caching
Icon and static content caching: This is done using Integrated Caching feature of NetScaler. This does not require an IC license; only a VPN license is sufficient. This is implemented along the same lines as cache policies for VPN login pages. Caching is achieved through the following Cache ContentGroup and Cache Policy:
add cache contentGroup WFstaticobjects -relExpiry 3600 -maxResSize 16000 -memLimit 128
add cache policy _cacheWFStaticObjects -rule 'HTTP.RES.HEADER("X-Via- WebFront").EQ("true") && CLIENT.TCP.DSTPORT.EQ(8080) &&
HTTP.RES.CACHE_CONTROL.IS_PUBLIC' -action CACHE -storeInGroup WFstaticobjects
The cache policy _cacheWFStaticObjects is bound to a VPN virtual server automatically when an add vpn virtual server command is executed.
Direct StoreFront scenario
Transparent SSO (single sign on) is applicable only for native Citrix Receivers. WebFront proxies the received request to StoreFront, and inserts the appropriate service token if present. If the response is 200, we send the response back to the client. If the response is a 401, we perform SSO using the DS authentication flow. After authentication, we store the primary and secondary auth tokens in the session cache to reuse for subsequent requests. The Citrix Receiver does not authenticate for StoreFront separately. We avoid using the two 4k tokens (primary & secondary).
StoreFront Authentication Flow (Pass-through from UG)
Example packet sequence via WebFront
WebFront is designed as a Java Webapp, which runs on the Tomcat v6, hosted on NetScaler. WebFront is developed using Spring MVC v3.1.2. WebFront is designed to work via Gateway with SSO on ONLY.
WebFront is designed to work via Gateway with SSO on ONLY. WebFront has the following components described in this section.
- Browser Controller: Handles all requests from browsers.
- Native Controller: Handles all requests from Native Citrix Receivers.
- Receiver for Web – The service does SSO, forms DS requests to StoreFront, stores Tokens,
XML to JSON conversion etc. for browser case.
- TransparentSSO – The service does SSO, forwards client requests to StoreFront, stores Tokens, etc. for Citrix Receiver.
- DS – PNA convertor – The service does SSO, converts DS to PNA protocol and sends request to Web Interface, etc.
- DS AuthManager: Performs the authentication and SSO with StoreFront, fetches primary and secondary tokens and stores in the Session Cache.
- DS protocol Request/Response Handler: This forms the DS request, and parses the DS response.
- HTTP/HTTPS Client that connects to the StoreFront/Web Interface.
High Availability behavior
High availablity behavior is supported.
Currently cluster behavior is not supported.
- Go to System>WebFront. Select Install WebFront from the Getting Started heading.
2. Get the JRE TAR files for installation. Select the Download JRE link at the bottom of the page for the JRE TAR file.
4. Select WebFront on NetScaler Gateway 11.0 Download button.
5. Read the Download Agreement and check the box stating your compliance. Then, click the Accept button.
6. See the WebFront TAR file in the left hand corner.
7. From the WebFront Browse button, select Local. Then, select the WebFront TAR file. From the JRE Browse button, select Local. Then, select the JRE TAR file. Click Install.
The following screen confirms that the installation was completed successfully.
1. Go to System>WebFront. Select WebFront Wizard from the Getting Started heading.
2. The following screen appears. The fields with asterisks are mandatory.
Enter mandatory information and Click Continue.
3. Complete all mandatory fields. Verify and click Continue.
4. Verify data and click Done.
NetScaler Gateway Virtual Server
This section describes the options to select a NetScaler Gateway Virtual Server.
1. Select a virtual server that is already configured for your device. See Select a Configured Virtual Server for more information.
2. Configure a new virtual server. See Configured Virtual Server for more information.
Select a Configured Virtual Server
1. Select a configured virtual server from the pull-down menu.
Configure a Virtual Server
1. Specify the NetScaler Gateway IP Address.
2. Specify the port.
3. Assign the virtual server a name.
4. Check this box to enables NetScaler Gateway to redirect HTTP connections to an HTTPS secure connection.
5. Click the Continue button.
By selecting the Browse button, you can select a certificate from the appliance or from your local directory.
1. From the appliance, select a certificate from the list and click Open.
1. Go to System>WebFront. Select Uninstall WebFront from the Getting Started heading.
1. Go to System>WebFront. Select WebFront Sites from the Configuration Summary.
2. The WebFront Sites allows the following the site operations:
• Add – For detailed information see Add WebFront Sites.
• Edit – For detailed information see Edit WebFront Sites.
• Delete – For detailed information see Delete WebFront Sites.
1. Click the Add button to insert a new site.
1. The following screen appears. The mandatory fields indicated by an asterisk.
3. Create the VPN Session Action. The mandatory fields indicated by an asterisk. Add a name for the action, and verify the information. Click Continue.
4. Shown is a summary of the complete configuration. Verify and click Done.
1. Select a Web Front site, and then click the Edit button to revise the configuration.
3. Revise the configuration. Click Continue.
4. The following screen appears. An asterisk indicates the mandatory fields. Click Continue.
5. Shown is a summary of the complete configuration. Verify and click Done.
1. Select the site you want to delete. Click the Delete button to remove the site.