Now that we have created a basic unconfigured StoreFront deployment we will have a look at the features and options we can configure.
Start the Citrix StoreFront Console.
This is what it looks like when we open it for the first time. We now can View or Change a store or create a new one. On the left side we have the known options:
- Server Group
- Receiver for Web
- NetScaler Gateway
Let´s dive a little bit deeper…
Under Server Group we have the following options:
- Add Server
- Change Base URL
- Generate Security Keys
When you want to join a second StoreFront server to your deployment you need to start the “Add Server” Wizard. In this process a security token is shown on the first StoreFront server and you need to type the code on your second server in order to join it successfully.
If for some reason you need to change the Base URL for your deployment you can do it here. All Stores and StoreFront services are affected by this change.
If you use a server group Citrix recommends generating new Security Keys from time to time. Users authenticated to Stores then need to reauthenticate.
Available authentication Methods:
We need to configure the Authentication service. Username and password is configured automatically.
Additional Authentication services need to be added separately.
- User name and password
- Domain pass-through
- Smart card
- Install the Smart-Card middleware on the VDAs
- Check that certificate to account mapping is configured correctly
- Ensure that accounts for all users are configured either within the Microsoft Active Directory domain or that a correct two-way-trust is in place
- Assign appropriate Certificates on the StoreFront or/and NetScaler appliances
- Configure SSL on the servers
- edit the default.ica on the StoreFront servers for single sign on. The default.ica can be found under the following path:
C:\inetpub\wwwroot\Citrix\[Application] DisableCtrlAltDel=Off UseLocalUserAndPassword=On
- Http basic
The IIS on the StoreFront server authenticates the users.
- Pass-through from NetScaler Gateway
NetScaler Gateway authenticates the users.
You can create as many stores as you need.
You can create a store for a particular group of users or to group together a specific set of resources. You can also create an unauthenticated store that allows for anonymous, or unauthenticated access.
- Create Store
- Create Store for Unauthenticated Users
- Export Multi-Store Provisioning File
Choose this option to create a new Store.
This creates a Store for anonymous access. Please be aware of the fact that in StoreFront configurations where the web.config file has been configured with the parameter LogoffAction=”terminate”, Receiver for Web sessions accessing this unauthenticated store will not terminate. To ensure these sessions terminate properly, the XenApp server being used by this store must have the Trust XML requests option enabled as shown in Configuring the Citrix XMS Service Port and Trust.
We can generate files containing connection details for stores, including any NetScaler Gateway deployments and beacons configured for the stores. Users can then configure their Receiver automatically with these files.
Options for “myStore”
- Manage Delivery Controllers
- Enable Remote Access
- Disable User Subscriptions
- Integrate with Citrix Online
- Export Provisioning File
- Configure Kerberos Delegation
- Configure XenApp Services Setup
- last but not least…Remove Store
We can edit the list of DCs here.
Here we can enable Remote Access with the options mentioned above (None, No VPN tunnel, Full VPN tunnel).
We can enable or disable User Subscriptions. If we want users to subscript to applications before using them we should enable the setting. If we want all user to see all of the available applications we should disable it.
We can choose to show or hide the GoTo Meeting products in the Store and what happens when users add one of the three Products. I would disable them, if they are not needed.
Here we can export an Provisioning file for the automated Citrix Receiver Setup. If we choose to export the file a ReceiverConfig.cr file is saved to a location you can choose.
Have a look at the edocs article that describes this feature in more detail: http://support.citrix.com/proddocs/topic/dws-storefront-26/dws-configure-kcd.html
This is the old “Configure Legacy Support” Feature that enables access through legacy clients. When you create a new store, the XenApp Services URL is enabled by default. The XenApp Services URL for a store has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml
I think this one is self explaining 😉
Receiver for Web
Use this task to add Receiver for Web sites, which enable users to access stores through a webpage.
- Create Website
We can create a new Website at this point. We have to choose an available Store and assign a Website path.
- Choose Authentication Methods
- Add Shortcuts to Website
- Change Store
- Set Session Timeout
- Deploy Citrix Receiver
Choose User name and password, Domain pass-through, Smart card or Pass-through from NetScaler Gateway.
If we like we can add additional application shortcuts to the Receiver for Web site, e.g. corporate websites.
If there are multiple Stores available we can switch stores at this point.
We can set the HTTP session timeout for Receiver for Web.
In enterprise environments the Citrix Receiver should be deployed through standardized mechanism (e.g. SCCM). If however you want to deploy the Receiver you can choose between the following options:
- Install locally
- Use Receiver for HTML5 if local install fails
- Always use Receiver for HTML5
- Remove Website
This option should also be self explaining. Be sure before hitting the buttons.
NetScaler Gateway is unconfigured until we enable Pass-through authentication in the authentication tab.
This is the section were we can configure Beacons. Before we create some, let´s explain what they are…
Beacons are URLs in the internal or external network. Citrix Receiver attempts to reach the Beacon Points in order to check if the user and his device are connected internally or from outside the company network. If internal URLs are not accessible the Receiver then tries to use the NetScaler Gateway to connect to resources.
By default, StoreFront uses the server URL or load-balanced URL of your deployment as the internal beacon point. The Citrix website and the virtual server URL of the first NetScaler Gateway deployment you add are used as external beacon points by default.
If you want to create some Beacons choose “Manage Beacons” on the right side.
Do not forget to assign the appropriate Certificates to the StoreFront servers and change the bindings in IIS in order for HTTPS to work.
In case of problems with the StoreFront deployment we can enable StoreFront verbose Logging
In my opinion things should be simple for users. Therefore I like the idea of using the same URL for internal and external users. The referenced link describes the configuration of NetScaler, DNS and StoreFront:
All information without warranty for any failures in your environment.
This leads to explizit authentication and users have to enter their credentials when accessing the Store
Pass-through authentication with Active Directory accounts. Don´t forget to install the Receiver with pass-through enabled.
There are some things to consider before we can use Smart-Cards with StoreFront: