Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Citrix StoreFront - Implementation Guide

This white paper provides a three-step process to set up Citrix StoreFront 2.0 in a proof of concept environment: 1. Install and configure an initial StoreFront server, including importing an SSL certificate. 2. Configure a second StoreFront server for high availability and synchronize the deployment. 3. Configure NetScaler load balancing and Gateway for secure remote access, and test accessing applications through Citrix Receiver.

1 of 48
Download to read offline

1

White Paper | Citrix StoreFront 2.0 www.citrix.com Citrix StoreFront 2.0 Proof of Concept Implementation Guide

2

Page 2 Contents Contents.....................................................................................................................................2 Introduction...............................................................................................................................3 Architecture ...............................................................................................................................4 Installation and Configuration...................................................................................................5 Section 1: StoreFront Initial Deployment ................................................................. 6 Initial Server Configuration...............................................................................................10 Create New StoreFront Deployment ................................................................................13 Enable the Pass-Through Authentication Service..............................................................26 Section 2: Configure Second Receiver StoreFront Server .............................................27 Section 3: Accessing Applications through Receiver ......................................................32 Receiver for Web ...............................................................................................................36 Section 4: NetScaler Load Balancing Configuration........................................................36 Section 5: NetScaler Gateway for Remote Access .........................................................45 Conclusion...............................................................................................................................47 Acknowledgments....................................................................................................................47 References ................................................................................................................................48 Revision History......................................................................................................................48

3

Page 3 Introduction Citrix StoreFront provides users an enterprise app store that aggregates resources from XenDesktop, XenApp, XenMobile App Controller, and VDI-in-a-Box in one place. Each StoreFront user is able to subscribe to their favorite application and desktop resources, these favorite resources then automatically follow the user between devices. With Citrix Web Interface reaching end-of-life in 2015, it is important that administrators become familiar with StoreFront to facilitate a successful transition between products. StoreFront’s new modular architecture improves upon the existing design of Web Interface. It includes a new user authentication method which directly queries Active Directory rather than the existing double-hop Web Interface process where user credentials are sent from the Web Interface server to the XML broker who then negotiates authentication with the Domain Controller. StoreFront also makes the process of deploying multiple servers easier through its configuration synchronization feature. Customers that require a single point of access and self-service for Windows, Web, and SaaS applications should consider integrating StoreFront with XenMobile AppController. ApController, which is part of XenMobile App Edition, is an additional product that must be purchased. StoreFront is a no-cost product that is freely available for download for Citrix XenDesktop and XenApp customers. For a complete list of XenMobile AppController features, visit the product page. The goal of this document is to guide the reader through the steps required to create a successful StoreFront proof of concept environment. Citrix Consulting recommends implementing StoreFront in a phased approach beginning with mobile users. This user group will receive the greatest benefit since they access resources from multiple devices both inside and outside the corporate network. Selecting the correct user group will ensure that the full breadth of StoreFront’s features and self-service capabilities are showcased within this proof of concept.

4

Page 4 Architecture Citrix StoreFront employs a modular architecture, as shown in the following diagram: Figure 1: Citrix Storefront Receiver Architecture  Authentication Service. Authenticates users to XenDesktop sites, XenApp farms, and AppController, handling all interactions to ensure that users only need to log on once.  Store Services. Retrieves user credentials from the authentication service to authenticate users to the XenApp and XenDesktop servers providing the application and desktop resources. Enumerates the resources currently available from the servers and sends the details to Citrix Receiver.  Receiver for Web. Enables users to access applications and desktop resources through a web page providing the same user experience as accessing those resources through Citrix Receiver.  Resource Subscription Database. Stores details of individualized user subscriptions plus associated shortcut names and locations.  Beacon. Citrix Receiver uses beacon points to determine whether users are connected to internal or public networks and then selects the appropriate access method.

5

Page 5 Hardware and Software Requirements In preparation for executing all the steps outlined in this Proof of Concept (PoC) Implementation Guide, the following components will be required:  Windows Server 2008 R2 SP1 / Windows Server 2012: Receiver Storefront is only available for installation on these versions of Windows Server.  Citrix Receiver 3.3+ (Standard) Windows/ 11.6+ Mac: The Citrix Receiver versions that supports direct connections to StoreFront and take advantage of automatic account provisioning. Receiver 3.1+ for Windows and 11.5 for Mac support direct connections to StoreFront but do not support automatic account provisioning. Previous versions of Citrix Receiver, Citrix Online Plugin, and Receiver Enterprise can be used, but applications and desktops will only be available from the Receiver for Web site or by a legacy site.  NetScaler Access Gateway 10.0.69.4nc+: While not required for internal access to resources, Access Gateway is a key feature to enable secure remote access and allow the HTML5 client and Account Services features to function. Installation and Configuration The purpose of this document is to provide step-by-step instructions for the implementation of each component within the Proof of Concept environment. Each step is broken down into the following individual sections:  Section 1: StoreFront Initial Deployment  Section 2: Configure Second StoreFront Server  Section 3: Accessing Applications through Receiver  Section 4: Configure NetScaler Gateway Authentication  Section 5: NetScaler Load Balancing Configuration

6

Page 6 Section 1: StoreFront Initial Deployment Citrix StoreFront can be setup in a single or multi-server deployment. Citrix Consulting recommends that StoreFront be deployed in a multi-server configuration to ensure high availability. The following steps detail the installation of StoreFront. 1 Choose the StoreFront installation file 2 Click Yes to install the .NET framework Check the accept terms of license box

7

Page 7 7 Internet Information Server (IIS) will be deployed as part of the installation Select Next

8

Page 8 Select Install Any pre-requisites missing will be installed automatically by Receiver StoreFront installer

9

Page 9 8 The installation has now been completed Select Finish The StoreFront Receiver administration console will automatically appear

10

Page 10 Initial Server Configuration The first step in configuring Receiver StoreFront is importing and binding a SSL certificate inside Internet Information Server (IIS). The following section walks through the steps needed to complete these tasks. Initial Server Configuration Screenshot Description 1  Before beginning the configuration, a SSL certificate matching the hostname chosen must be imported and bound to the default IIS Web Site  This is accomplished in IIS Manager  Select the local Server from the left menu  Select Server Certificates from the features menu

11

Page 11 2  Select Import on the Actions menu 3  Select the certificate file to import  Select OK 4  The certificate is now imported

12

Page 12 5  Select Default Web Site  Select Bindings 6  Select Add 7  Select https as the Type  Select the SSL Certificate from the dropdown menu  Select OK

13

Page 13 8  The https binding is now listed  Return to the Receiver Storefront console Create New StoreFront Deployment The section walks through the steps to configure the first StoreFront server in a deployment. 1 When the administration console opens, two options are available. Since this is the first server in the deployment, select Create a new deployment

14

Page 14 2 Since a SSL certificate has already been bound, the hostname will automatically be filled in. This is the Hostname of the load balancing vServer on the NetScaler for the Storefront servers. If the hostname is blank, go back to the SSL certification installation steps Select Next 3 Wait for the Store to be created… 4 Enter in a Store Name It is recommended choosing a name that helps users identify the apps and desktops. This is the name that will appear inside Receiver.

15

Page 15 5 This menu allows XenApp, XenDesktop, and Cloud Gateway Enterprise resources to be added to the Store. To begin adding resources, select Add 7 First, a XenApp server will be added to the Store. Choose a Display name Choose XenApp from the Type list

16

Page 16 Change the Transport type and Port accordingly Select Add 8 Enter the FQDN of the XenApp server. Select OK

17

Page 17 9 The XenApp server is now listed. Select OK 10 To add a XenDesktop resource, the same steps are followed.

18

Page 18 Begin by selecting Add 11 The XenDesktop type is now selected. Once a server has been added, select OK

19

Page 19 12 Now both XenApp and XenDesktop are listed. Select Next

20

Page 20 13 This step will begin the Remote Access configuration through NetScaler Gateway. There are two options available: No VPN tunnel and Full VPN tunnel Choose one and then select Add 14 Entera Display Name, Gateway URL, and Callback URL

21

Page 21 The SubNet IP address field can be left blank Select Next 15 Select Add

22

Page 22 16 Enter the STA URL and select OK 17 Select Create 18 Select Create

23

Page 23 19 Wait for the Store to be created … 20 Click Finish s

24

Page 24 21 Click on Authentication Observe that the configuration wizard enabled acecss through NetScaler Gateway and explicit username/password.

25

Page 25

26

Page 26 Enable the Pass-Through Authentication Service By default, during the initial configuration of StoreFront, only Explicit and NetScaler Access Gateway pass-through authentications are enabled. To allow users on the domain to pass- through their Windows credentials to Citrix Receiver, the Domain Pass-Through method must be enabled. This pass-through option only works with the desktop Receiver, not the Receiver for Web page. For Citrix Receiver to utilize single sign-on, it must be installed with the following parameter: CitrixReceiver.exe /includeSSON. Initial Server Configuration Screenshot 1 Select Add/Remove Methods 2 Select Domain pass-through and then click OK.

27

Page 27 3 Domain pass-through authentication has now been enabled. Section 2: Configure Second Receiver StoreFront Server Once the first server has been configured, a second server should be added to the multi-server deployment. 1 On the first server deployed select Add Server from the Server Group menu.

28

Page 28 2 This server will now show an Authorization code that must be entered on the next server joined to the deployment. 3 On the second server select Join existing server group

29

Page 29 4

30

Page 30 5 6

31

Page 31 7

32

Page 32 Section 3: Accessing Applications through Receiver To simplify the Receiver provisioning process, StoreFront has introduced an auto-discovery service called Account Services. Available beginning with Receiver 3.3 Standard for Windows (Mac 11.6, iOS 5.6, Android 3.1), this feature allows Receiver to automatically provision a user for internal and remote access. This service eliminates the need for users to download Provisioning files and manually import them into Receiver. To allow users outside the corporate network to provision Receiver, NetScaler 10 build 69.4.nc and higher now includes a new entry in the session policy profile where the StoreFront Account Services URL is specified. The following steps walk through the process of a user provisioning their account inside Receiver through NetScaler Gateway. 1 Configure the Account Services Address on the NetScaler Gateway Session Profile

33

Page 33 2 3 4 Click Yes

34

Page 34 5 Click Finish 6 Receiver will now display the subscribed resources. Applications and desktops are now

35

Page 35 ready to be launched Click the Settings icon 7 Stores can be added and removed from this menu

36

Page 36 Receiver for Web In addition to accessing StoreFront Stores within Citrix Receiver Standard, users can also access applications and desktops through a web page. The Receiver for Web site allows users to easily connect to their resources on devices that might not have Citrix Receiver installed. It supports launching applications with the full Receiver, Receiver Web Plug-in, or HTML5 client. This gives users the flexibility to access resources on devices on which that they do not have permission to install the full Receiver. Receiver for Web also separates applications and desktops and into tabs, with all desktops available to the user automatically appearing on the desktop page. It also provides user driven desktop restarts functionality for XenDesktop resources. Figure2: Apps View Figure 3: Desktops View Section 4: NetScaler Load Balancing Configuration This section will give an overview of the steps necessary to configure a NetScaler to load balance StoreFront. NetScaler 10.1 includes a new health monitor designed to intelligently monitor StoreFront. This allows NetScaler to provide a high level of reliability to the deployment. 1 From the Load Balancing menu, select Servers Select Add

37

Page 37 2 Choose a name and enter in the IP Address for both StoreFront servers Select Create after each server is entered

38

Page 38 3 Both StoreFront servers are now listed 4 From the Load Banacing menu, choose Monitors Select Add

39

Page 39 5 Choose a name for the Monitor and select StoreFront as the Type Leave the Standard Parameters settings default and choose the Special Parameters tab Enter in the Hostname used for the StoreFront group along with the Store Name Check StoreFront Account Services Click Create 6 Choose Service Groups from the Load Balancing menu Creating a Service Group allows a single health monitor to be attached to both servers Select Add

40

Page 40 7 Enter in a Service Group Name. Choose SSL for the Protocol Select the two StoreFront servers and enter 443 as the Port and then click Add 8 Select the Monitors tab and choose the previously creted StoreFront monitor and click Add. It will then appear as a configured monitor

41

Page 41 9 Choose the Advanaced tab Click Override Global, uncheck Use Source IP Click Client IP Header and enter in X-Forwarded-For 10 Choose the SSL Settings tab Select the SSL certicate for the StoreFront servers and click Add

42

Page 42 Click Create 11 Select Virtual Servers from the Load Balancing menu. Select Add 12 Enter a Name and IP Address for the Virtual Server Choose SSL for the Protocol

43

Page 43 13 Choose the Service Groups tab Choose the previously created StoreFront Service Group 14 Choose the Method and Persistence tab Select COOKIEINSERT as the Persistence

44

Page 44 15 Choose the SSL Settings tab Select the SSL certificiate and click Add Click Create

45

Page 45 Section 5: NetScaler Gateway for Remote Access To provide remote access for users located outside the corporate network, it is recommended that StoreFront be deployed in conjunction with NetScaler Gateway, formally known as Access Gateway. NetScaler Gateway acts as a reverse proxy, tunneling all Citrix HDX traffic over SSL. Remote users have the option of accessing their resources from either the locally installed Citrix Receiver or via the Receiver for Web site. For an optimal deployment that allows users to easily connect from inside and outside the organization, it is recommended that the Account Services feature be implemented. This feature will allow users to seamlessly configure their locally installed Receiver for external access through NetScaler Gateway. This feature essentially automates the process of downloading and importing a Provisioning file. A Provisioning file is a XML file that includes the necessary information to allow Receiver to decide whether it should connect directly to StoreFront or through NetScaler Gateway. This decision is made by using the beacon addressees included in the file. If Receiver is able to resolve the internal Beacon address, it will connect directly to StoreFront. By default, the internal Beacon address is set to the load balancing hostname for the StoreFront servers, although this can be changed in the Beacons menu inside StoreFront. For more information on configuring the Receiver Provisioning file, please reference Citrix eDocs. Session Policies To direct remote users to the optimal location, multiple session policies should be created on NetScaler Gateway. Using HTTP headers, the NetScaler is able to detect if the connection is being made from a web browser or directly from inside Receiver. Below is an example of the session policies required for Native Receiver and Receive for Web access. Priority Policy Name Expression Profile 10 Native Receiver REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS Native Receiver 20 Receiver for Web ns_true Receiver for Web

46

Page 46 Profile Name Settings Native Receiver Clientless Access: On | ICA Proxy: Off | Account Services URL | SSO Domain Receiver for Web Without XenMobile AppController: Clientless Access: On| ICA Proxy: Off| WebInterface URL: StoreFront Receiver for Web page | SSO Domain With XenMobile AppController: (Clientless VPN): ICA Proxy: On | WebInterface URL | SSO Domain | Clientless Access: On To function correctly, Citrix Receiver requires that the StoreFront Services traffic not be rewritten, as would normally be the case when NetScaler Gateway is operating in Clientless Access (CVPN) mode. To disable rewriting, it is necessary to define a custom rewrite policy for Clientless mode. Under the Clientless Session Policies tab, a new policy should be created and binded. The URL Rewite policy should be set to ns_cvpn_default_inet_url_label and the expression set to true. Figure 4. Clientless Access Policy Figure 5. Clientless Access Profile

47

Page 47 HTML5 Receiver Client StoreFront 2.0 is packaged with a native HTML5 Citrix Receiver client that can be used as a fallback client if the native Receiver is not installed. Receiver for HTML5 allows connections to through a browser without having to install any software on the endpoint. The Java client, which was previously used as the fallback option with Web Interface is no longer supported with StoreFront. The HTML5 client can be enabled during the initial StoreFront configuration or afterwards on the Receiver for Web section of the administration console. Administrators have the option of configuring the HTML Receiver the primary client for all users or configuring it as a fallback if the native Receiver is not installed. The only exception to the configured options is ChromeOS which always will use the HTML5 client. Before deploying the HTML5 client, please verify your environment against Citrix eDocs for a list the prerequisites that must be in place. Conclusion Citrix Consulting currently recommends StoreFront be implemented in a phased approach beginning with pilot environment for mobile users. This user group will see the greatest benefit from having a seamless experience between devices regardless of their location. The pilot environment should deliver resources from the production XenDesktop & XenApp deployments. Additionally, StoreFront should be deployed in parallel to the existing Web Interface environment on a separate Windows server instance. This will ensure a smooth transition while not disturbing any user groups that are utilizing Web Interface. Acknowledgments Citrix Consulting Solutions would like to thank all of the individuals that offered guidance and technical assistance during the course of this project – Roger LaMarca, Carisa Stringer, Andy Baker, Peter Schulz, and Adolfo Montoya. Additionally, thanks go to Peter Smeryage who helped with the build out of the environment.

48

Page 48 References  How to Configure Access to Citrix Receiver StoreFront 1.0 through Access Gateway Enterprise Edition: http://support.citrix.com/article/CTX131908 Revision History Revision Change Description Updated By Date 1.0 Initial Document Citrix Consulting Solutions March 27, 2012 1.2 Document Update Citrix Consulting Solutions April 12, 2012 1.3 Document Update Citrix Consulting Solutions July 31, 2012 1.4 Document Update Citrix Consulting Solutions June 28 , 2013 About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Services product families radically simplify computing for millions of users, delivering applications as an on-demand service to any user, in any location on any device. Citrix customers include the world’s largest Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2009 was $1.61 billion. ©2013 Citrix Systems, Inc. All rights reserved. Citrix®, Access Gateway™, Branch Repeater™, Citrix Repeater™, Citrix Receiver™, HDX™, XenServer™, XenApp™, XenDesktop™, XenClient™ and Citrix Delivery Center™ are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners.

More Related Content

Citrix StoreFront - Implementation Guide

  • 1. White Paper | Citrix StoreFront 2.0 www.citrix.com Citrix StoreFront 2.0 Proof of Concept Implementation Guide
  • 2. Page 2 Contents Contents.....................................................................................................................................2 Introduction...............................................................................................................................3 Architecture ...............................................................................................................................4 Installation and Configuration...................................................................................................5 Section 1: StoreFront Initial Deployment ................................................................. 6 Initial Server Configuration...............................................................................................10 Create New StoreFront Deployment ................................................................................13 Enable the Pass-Through Authentication Service..............................................................26 Section 2: Configure Second Receiver StoreFront Server .............................................27 Section 3: Accessing Applications through Receiver ......................................................32 Receiver for Web ...............................................................................................................36 Section 4: NetScaler Load Balancing Configuration........................................................36 Section 5: NetScaler Gateway for Remote Access .........................................................45 Conclusion...............................................................................................................................47 Acknowledgments....................................................................................................................47 References ................................................................................................................................48 Revision History......................................................................................................................48
  • 3. Page 3 Introduction Citrix StoreFront provides users an enterprise app store that aggregates resources from XenDesktop, XenApp, XenMobile App Controller, and VDI-in-a-Box in one place. Each StoreFront user is able to subscribe to their favorite application and desktop resources, these favorite resources then automatically follow the user between devices. With Citrix Web Interface reaching end-of-life in 2015, it is important that administrators become familiar with StoreFront to facilitate a successful transition between products. StoreFront’s new modular architecture improves upon the existing design of Web Interface. It includes a new user authentication method which directly queries Active Directory rather than the existing double-hop Web Interface process where user credentials are sent from the Web Interface server to the XML broker who then negotiates authentication with the Domain Controller. StoreFront also makes the process of deploying multiple servers easier through its configuration synchronization feature. Customers that require a single point of access and self-service for Windows, Web, and SaaS applications should consider integrating StoreFront with XenMobile AppController. ApController, which is part of XenMobile App Edition, is an additional product that must be purchased. StoreFront is a no-cost product that is freely available for download for Citrix XenDesktop and XenApp customers. For a complete list of XenMobile AppController features, visit the product page. The goal of this document is to guide the reader through the steps required to create a successful StoreFront proof of concept environment. Citrix Consulting recommends implementing StoreFront in a phased approach beginning with mobile users. This user group will receive the greatest benefit since they access resources from multiple devices both inside and outside the corporate network. Selecting the correct user group will ensure that the full breadth of StoreFront’s features and self-service capabilities are showcased within this proof of concept.
  • 4. Page 4 Architecture Citrix StoreFront employs a modular architecture, as shown in the following diagram: Figure 1: Citrix Storefront Receiver Architecture  Authentication Service. Authenticates users to XenDesktop sites, XenApp farms, and AppController, handling all interactions to ensure that users only need to log on once.  Store Services. Retrieves user credentials from the authentication service to authenticate users to the XenApp and XenDesktop servers providing the application and desktop resources. Enumerates the resources currently available from the servers and sends the details to Citrix Receiver.  Receiver for Web. Enables users to access applications and desktop resources through a web page providing the same user experience as accessing those resources through Citrix Receiver.  Resource Subscription Database. Stores details of individualized user subscriptions plus associated shortcut names and locations.  Beacon. Citrix Receiver uses beacon points to determine whether users are connected to internal or public networks and then selects the appropriate access method.
  • 5. Page 5 Hardware and Software Requirements In preparation for executing all the steps outlined in this Proof of Concept (PoC) Implementation Guide, the following components will be required:  Windows Server 2008 R2 SP1 / Windows Server 2012: Receiver Storefront is only available for installation on these versions of Windows Server.  Citrix Receiver 3.3+ (Standard) Windows/ 11.6+ Mac: The Citrix Receiver versions that supports direct connections to StoreFront and take advantage of automatic account provisioning. Receiver 3.1+ for Windows and 11.5 for Mac support direct connections to StoreFront but do not support automatic account provisioning. Previous versions of Citrix Receiver, Citrix Online Plugin, and Receiver Enterprise can be used, but applications and desktops will only be available from the Receiver for Web site or by a legacy site.  NetScaler Access Gateway 10.0.69.4nc+: While not required for internal access to resources, Access Gateway is a key feature to enable secure remote access and allow the HTML5 client and Account Services features to function. Installation and Configuration The purpose of this document is to provide step-by-step instructions for the implementation of each component within the Proof of Concept environment. Each step is broken down into the following individual sections:  Section 1: StoreFront Initial Deployment  Section 2: Configure Second StoreFront Server  Section 3: Accessing Applications through Receiver  Section 4: Configure NetScaler Gateway Authentication  Section 5: NetScaler Load Balancing Configuration
  • 6. Page 6 Section 1: StoreFront Initial Deployment Citrix StoreFront can be setup in a single or multi-server deployment. Citrix Consulting recommends that StoreFront be deployed in a multi-server configuration to ensure high availability. The following steps detail the installation of StoreFront. 1 Choose the StoreFront installation file 2 Click Yes to install the .NET framework Check the accept terms of license box
  • 7. Page 7 7 Internet Information Server (IIS) will be deployed as part of the installation Select Next
  • 8. Page 8 Select Install Any pre-requisites missing will be installed automatically by Receiver StoreFront installer
  • 9. Page 9 8 The installation has now been completed Select Finish The StoreFront Receiver administration console will automatically appear
  • 10. Page 10 Initial Server Configuration The first step in configuring Receiver StoreFront is importing and binding a SSL certificate inside Internet Information Server (IIS). The following section walks through the steps needed to complete these tasks. Initial Server Configuration Screenshot Description 1  Before beginning the configuration, a SSL certificate matching the hostname chosen must be imported and bound to the default IIS Web Site  This is accomplished in IIS Manager  Select the local Server from the left menu  Select Server Certificates from the features menu
  • 11. Page 11 2  Select Import on the Actions menu 3  Select the certificate file to import  Select OK 4  The certificate is now imported
  • 12. Page 12 5  Select Default Web Site  Select Bindings 6  Select Add 7  Select https as the Type  Select the SSL Certificate from the dropdown menu  Select OK
  • 13. Page 13 8  The https binding is now listed  Return to the Receiver Storefront console Create New StoreFront Deployment The section walks through the steps to configure the first StoreFront server in a deployment. 1 When the administration console opens, two options are available. Since this is the first server in the deployment, select Create a new deployment
  • 14. Page 14 2 Since a SSL certificate has already been bound, the hostname will automatically be filled in. This is the Hostname of the load balancing vServer on the NetScaler for the Storefront servers. If the hostname is blank, go back to the SSL certification installation steps Select Next 3 Wait for the Store to be created… 4 Enter in a Store Name It is recommended choosing a name that helps users identify the apps and desktops. This is the name that will appear inside Receiver.
  • 15. Page 15 5 This menu allows XenApp, XenDesktop, and Cloud Gateway Enterprise resources to be added to the Store. To begin adding resources, select Add 7 First, a XenApp server will be added to the Store. Choose a Display name Choose XenApp from the Type list
  • 16. Page 16 Change the Transport type and Port accordingly Select Add 8 Enter the FQDN of the XenApp server. Select OK
  • 17. Page 17 9 The XenApp server is now listed. Select OK 10 To add a XenDesktop resource, the same steps are followed.
  • 18. Page 18 Begin by selecting Add 11 The XenDesktop type is now selected. Once a server has been added, select OK
  • 19. Page 19 12 Now both XenApp and XenDesktop are listed. Select Next
  • 20. Page 20 13 This step will begin the Remote Access configuration through NetScaler Gateway. There are two options available: No VPN tunnel and Full VPN tunnel Choose one and then select Add 14 Entera Display Name, Gateway URL, and Callback URL
  • 21. Page 21 The SubNet IP address field can be left blank Select Next 15 Select Add
  • 22. Page 22 16 Enter the STA URL and select OK 17 Select Create 18 Select Create
  • 23. Page 23 19 Wait for the Store to be created … 20 Click Finish s
  • 24. Page 24 21 Click on Authentication Observe that the configuration wizard enabled acecss through NetScaler Gateway and explicit username/password.
  • 26. Page 26 Enable the Pass-Through Authentication Service By default, during the initial configuration of StoreFront, only Explicit and NetScaler Access Gateway pass-through authentications are enabled. To allow users on the domain to pass- through their Windows credentials to Citrix Receiver, the Domain Pass-Through method must be enabled. This pass-through option only works with the desktop Receiver, not the Receiver for Web page. For Citrix Receiver to utilize single sign-on, it must be installed with the following parameter: CitrixReceiver.exe /includeSSON. Initial Server Configuration Screenshot 1 Select Add/Remove Methods 2 Select Domain pass-through and then click OK.
  • 27. Page 27 3 Domain pass-through authentication has now been enabled. Section 2: Configure Second Receiver StoreFront Server Once the first server has been configured, a second server should be added to the multi-server deployment. 1 On the first server deployed select Add Server from the Server Group menu.
  • 28. Page 28 2 This server will now show an Authorization code that must be entered on the next server joined to the deployment. 3 On the second server select Join existing server group
  • 32. Page 32 Section 3: Accessing Applications through Receiver To simplify the Receiver provisioning process, StoreFront has introduced an auto-discovery service called Account Services. Available beginning with Receiver 3.3 Standard for Windows (Mac 11.6, iOS 5.6, Android 3.1), this feature allows Receiver to automatically provision a user for internal and remote access. This service eliminates the need for users to download Provisioning files and manually import them into Receiver. To allow users outside the corporate network to provision Receiver, NetScaler 10 build 69.4.nc and higher now includes a new entry in the session policy profile where the StoreFront Account Services URL is specified. The following steps walk through the process of a user provisioning their account inside Receiver through NetScaler Gateway. 1 Configure the Account Services Address on the NetScaler Gateway Session Profile
  • 34. Page 34 5 Click Finish 6 Receiver will now display the subscribed resources. Applications and desktops are now
  • 35. Page 35 ready to be launched Click the Settings icon 7 Stores can be added and removed from this menu
  • 36. Page 36 Receiver for Web In addition to accessing StoreFront Stores within Citrix Receiver Standard, users can also access applications and desktops through a web page. The Receiver for Web site allows users to easily connect to their resources on devices that might not have Citrix Receiver installed. It supports launching applications with the full Receiver, Receiver Web Plug-in, or HTML5 client. This gives users the flexibility to access resources on devices on which that they do not have permission to install the full Receiver. Receiver for Web also separates applications and desktops and into tabs, with all desktops available to the user automatically appearing on the desktop page. It also provides user driven desktop restarts functionality for XenDesktop resources. Figure2: Apps View Figure 3: Desktops View Section 4: NetScaler Load Balancing Configuration This section will give an overview of the steps necessary to configure a NetScaler to load balance StoreFront. NetScaler 10.1 includes a new health monitor designed to intelligently monitor StoreFront. This allows NetScaler to provide a high level of reliability to the deployment. 1 From the Load Balancing menu, select Servers Select Add
  • 37. Page 37 2 Choose a name and enter in the IP Address for both StoreFront servers Select Create after each server is entered
  • 38. Page 38 3 Both StoreFront servers are now listed 4 From the Load Banacing menu, choose Monitors Select Add
  • 39. Page 39 5 Choose a name for the Monitor and select StoreFront as the Type Leave the Standard Parameters settings default and choose the Special Parameters tab Enter in the Hostname used for the StoreFront group along with the Store Name Check StoreFront Account Services Click Create 6 Choose Service Groups from the Load Balancing menu Creating a Service Group allows a single health monitor to be attached to both servers Select Add
  • 40. Page 40 7 Enter in a Service Group Name. Choose SSL for the Protocol Select the two StoreFront servers and enter 443 as the Port and then click Add 8 Select the Monitors tab and choose the previously creted StoreFront monitor and click Add. It will then appear as a configured monitor
  • 41. Page 41 9 Choose the Advanaced tab Click Override Global, uncheck Use Source IP Click Client IP Header and enter in X-Forwarded-For 10 Choose the SSL Settings tab Select the SSL certicate for the StoreFront servers and click Add
  • 42. Page 42 Click Create 11 Select Virtual Servers from the Load Balancing menu. Select Add 12 Enter a Name and IP Address for the Virtual Server Choose SSL for the Protocol
  • 43. Page 43 13 Choose the Service Groups tab Choose the previously created StoreFront Service Group 14 Choose the Method and Persistence tab Select COOKIEINSERT as the Persistence
  • 44. Page 44 15 Choose the SSL Settings tab Select the SSL certificiate and click Add Click Create
  • 45. Page 45 Section 5: NetScaler Gateway for Remote Access To provide remote access for users located outside the corporate network, it is recommended that StoreFront be deployed in conjunction with NetScaler Gateway, formally known as Access Gateway. NetScaler Gateway acts as a reverse proxy, tunneling all Citrix HDX traffic over SSL. Remote users have the option of accessing their resources from either the locally installed Citrix Receiver or via the Receiver for Web site. For an optimal deployment that allows users to easily connect from inside and outside the organization, it is recommended that the Account Services feature be implemented. This feature will allow users to seamlessly configure their locally installed Receiver for external access through NetScaler Gateway. This feature essentially automates the process of downloading and importing a Provisioning file. A Provisioning file is a XML file that includes the necessary information to allow Receiver to decide whether it should connect directly to StoreFront or through NetScaler Gateway. This decision is made by using the beacon addressees included in the file. If Receiver is able to resolve the internal Beacon address, it will connect directly to StoreFront. By default, the internal Beacon address is set to the load balancing hostname for the StoreFront servers, although this can be changed in the Beacons menu inside StoreFront. For more information on configuring the Receiver Provisioning file, please reference Citrix eDocs. Session Policies To direct remote users to the optimal location, multiple session policies should be created on NetScaler Gateway. Using HTTP headers, the NetScaler is able to detect if the connection is being made from a web browser or directly from inside Receiver. Below is an example of the session policies required for Native Receiver and Receive for Web access. Priority Policy Name Expression Profile 10 Native Receiver REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS Native Receiver 20 Receiver for Web ns_true Receiver for Web
  • 46. Page 46 Profile Name Settings Native Receiver Clientless Access: On | ICA Proxy: Off | Account Services URL | SSO Domain Receiver for Web Without XenMobile AppController: Clientless Access: On| ICA Proxy: Off| WebInterface URL: StoreFront Receiver for Web page | SSO Domain With XenMobile AppController: (Clientless VPN): ICA Proxy: On | WebInterface URL | SSO Domain | Clientless Access: On To function correctly, Citrix Receiver requires that the StoreFront Services traffic not be rewritten, as would normally be the case when NetScaler Gateway is operating in Clientless Access (CVPN) mode. To disable rewriting, it is necessary to define a custom rewrite policy for Clientless mode. Under the Clientless Session Policies tab, a new policy should be created and binded. The URL Rewite policy should be set to ns_cvpn_default_inet_url_label and the expression set to true. Figure 4. Clientless Access Policy Figure 5. Clientless Access Profile
  • 47. Page 47 HTML5 Receiver Client StoreFront 2.0 is packaged with a native HTML5 Citrix Receiver client that can be used as a fallback client if the native Receiver is not installed. Receiver for HTML5 allows connections to through a browser without having to install any software on the endpoint. The Java client, which was previously used as the fallback option with Web Interface is no longer supported with StoreFront. The HTML5 client can be enabled during the initial StoreFront configuration or afterwards on the Receiver for Web section of the administration console. Administrators have the option of configuring the HTML Receiver the primary client for all users or configuring it as a fallback if the native Receiver is not installed. The only exception to the configured options is ChromeOS which always will use the HTML5 client. Before deploying the HTML5 client, please verify your environment against Citrix eDocs for a list the prerequisites that must be in place. Conclusion Citrix Consulting currently recommends StoreFront be implemented in a phased approach beginning with pilot environment for mobile users. This user group will see the greatest benefit from having a seamless experience between devices regardless of their location. The pilot environment should deliver resources from the production XenDesktop & XenApp deployments. Additionally, StoreFront should be deployed in parallel to the existing Web Interface environment on a separate Windows server instance. This will ensure a smooth transition while not disturbing any user groups that are utilizing Web Interface. Acknowledgments Citrix Consulting Solutions would like to thank all of the individuals that offered guidance and technical assistance during the course of this project – Roger LaMarca, Carisa Stringer, Andy Baker, Peter Schulz, and Adolfo Montoya. Additionally, thanks go to Peter Smeryage who helped with the build out of the environment.
  • 48. Page 48 References  How to Configure Access to Citrix Receiver StoreFront 1.0 through Access Gateway Enterprise Edition: http://support.citrix.com/article/CTX131908 Revision History Revision Change Description Updated By Date 1.0 Initial Document Citrix Consulting Solutions March 27, 2012 1.2 Document Update Citrix Consulting Solutions April 12, 2012 1.3 Document Update Citrix Consulting Solutions July 31, 2012 1.4 Document Update Citrix Consulting Solutions June 28 , 2013 About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Services product families radically simplify computing for millions of users, delivering applications as an on-demand service to any user, in any location on any device. Citrix customers include the world’s largest Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2009 was $1.61 billion. ©2013 Citrix Systems, Inc. All rights reserved. Citrix®, Access Gateway™, Branch Repeater™, Citrix Repeater™, Citrix Receiver™, HDX™, XenServer™, XenApp™, XenDesktop™, XenClient™ and Citrix Delivery Center™ are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners.