Now that we have created a basic unconfigured StoreFront deployment we will have a look at the features and options we can configure.

Start the Citrix StoreFront Console.


This is what it looks like when we open it for the first time. We now can View or Change a store or create a new one. On the left side we have the known options:

  • Server Group
  • Authentication
  • Stores
  • Receiver for Web
  • NetScaler Gateway
  • Beacons

Let´s dive a little bit deeper…


Under Server Group we have the following options:

  1. Add Server
  2. When you want to join a second StoreFront server to your deployment you need to start the “Add Server” Wizard. In this process a security token is shown on the first StoreFront server and you need to type the code on your second server in order to join it successfully.

  3. Change Base URL
  4. If for some reason you need to change the Base URL for your deployment you can do it here. All Stores and StoreFront services are affected by this change.

  5. Generate Security Keys
  6. If you use a server group Citrix recommends generating new Security Keys from time to time. Users authenticated to Stores then need to reauthenticate.

Available authentication Methods:

We need to configure the Authentication service. Username and password is configured automatically.


Additional Authentication services need to be added separately.

  1. User name and password
  2. This leads to explizit authentication and users have to enter their credentials when accessing the Store

  3. Domain pass-through
  4. Pass-through authentication with Active Directory accounts. Don´t forget to install the Receiver with pass-through enabled.

  5. Smart card
  6. There are some things to consider before we can use Smart-Cards with StoreFront:

    1. Install the Smart-Card middleware on the VDAs
    2. Check that certificate to account mapping is configured correctly
    3. Ensure that accounts for all users are configured either within the Microsoft Active Directory domain or that a correct two-way-trust is in place
    4. Assign appropriate Certificates on the StoreFront or/and NetScaler appliances
    5. Configure SSL on the servers
    6. edit the default.ica on the StoreFront servers for single sign on. The default.ica can be found under the following path:

      [Application] DisableCtrlAltDel=Off UseLocalUserAndPassword=On
  7. Http basic
  8. The IIS on the StoreFront server authenticates the users.

  9. Pass-through from NetScaler Gateway
  10. NetScaler Gateway authenticates the users.


You can create as many stores as you need.


You can create a store for a particular group of users or to group together a specific set of resources. You can also create an unauthenticated store that allows for anonymous, or unauthenticated access.

  1. Create Store
  2. Choose this option to create a new Store.

  3. Create Store for Unauthenticated Users
  4. This creates a Store for anonymous access. Please be aware of the fact that in StoreFront configurations where the web.config file has been configured with the parameter LogoffAction=”terminate”, Receiver for Web sessions accessing this unauthenticated store will not terminate. To ensure these sessions terminate properly, the XenApp server being used by this store must have the Trust XML requests option enabled as shown in Configuring the Citrix XMS Service Port and Trust.

  5. Export Multi-Store Provisioning File
  6. We can generate files containing connection details for stores, including any NetScaler Gateway deployments and beacons configured for the stores. Users can then configure their Receiver automatically with these files.

Options for “myStore”

  1. Manage Delivery Controllers
  2. We can edit the list of DCs here.

  3. Enable Remote Access
  4. Here we can enable Remote Access with the options mentioned above (None, No VPN tunnel, Full VPN tunnel).

  5. Disable User Subscriptions
  6. We can enable or disable User Subscriptions. If we want users to subscript to applications before using them we should enable the setting. If we want all user to see all of the available applications we should disable it.

  7. Integrate with Citrix Online
  8. We can choose to show or hide the GoTo Meeting products in the Store and what happens when users add one of the three Products. I would disable them, if they are not needed.

  9. Export Provisioning File
  10. Here we can export an Provisioning file for the automated Citrix Receiver Setup. If we choose to export the file a file is saved to a location you can choose.

  11. Configure Kerberos Delegation
  12. Have a look at the edocs article that describes this feature in more detail:

  13. Configure XenApp Services Setup
  14. This is the old “Configure Legacy Support” Feature that enables access through legacy clients. When you create a new store, the XenApp Services URL is enabled by default. The XenApp Services URL for a store has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml

  15. last but not least…Remove Store
  16. I think this one is self explaining 😉

Receiver for Web

Use this task to add Receiver for Web sites, which enable users to access stores through a webpage.


  1. Create Website
  2. We can create a new Website at this point. We have to choose an available Store and assign a Website path.

“myStore” Receiver

  1. Choose Authentication Methods
  2. Choose User name and password, Domain pass-through, Smart card or Pass-through from NetScaler Gateway.

  3. Add Shortcuts to Website
  4. If we like we can add additional application shortcuts to the Receiver for Web site, e.g. corporate websites.

  5. Change Store
  6. If there are multiple Stores available we can switch stores at this point.

  7. Set Session Timeout
  8. We can set the HTTP session timeout for Receiver for Web.

  9. Deploy Citrix Receiver
  10. In enterprise environments the Citrix Receiver should be deployed through standardized mechanism (e.g. SCCM). If however you want to deploy the Receiver you can choose between the following options:

    • Install locally
    • Use Receiver for HTML5 if local install fails
    • Always use Receiver for HTML5
  11. Remove Website
  12. This option should also be self explaining. Be sure before hitting the buttons.

NetScaler Gateway is unconfigured until we enable Pass-through authentication in the authentication tab.


This is the section were we can configure Beacons. Before we create some, let´s explain what they are…


Beacons are URLs in the internal or external network. Citrix Receiver attempts to reach the Beacon Points in order to check if the user and his device are connected internally or from outside the company network. If internal URLs are not accessible the Receiver then tries to use the NetScaler Gateway to connect to resources.
By default, StoreFront uses the server URL or load-balanced URL of your deployment as the internal beacon point. The Citrix website and the virtual server URL of the first NetScaler Gateway deployment you add are used as external beacon points by default.

If you want to create some Beacons choose “Manage Beacons” on the right side.


Do not forget to assign the appropriate Certificates to the StoreFront servers and change the bindings in IIS in order for HTTPS to work.


In case of problems with the StoreFront deployment we can enable StoreFront verbose Logging

Further information

In my opinion things should be simple for users. Therefore I like the idea of using the same URL for internal and external users. The referenced link describes the configuration of NetScaler, DNS and StoreFront:

All information without warranty for any failures in your environment.