Complete the following procedures to configure NetScaler Gateway with StoreFront:

• Deploy Storefront Using Netscaler Vpx All About Citrix Access
• Deploy Storefront Using Netscaler Vpxall About Citrix Workspace
• Deploy Storefront Using Netscaler Vpx All About Citrix Connection

I. Policy for Web

II. Policy for Receiver

III. Authentication

IV. Virtual Server

V. StoreFront

F5 Deployment Guide 4 Citrix enApp and enDesktop h You can optionally configure the APM with smart card authentication or with two-factor authentication using RSA SecurID. » If deploying two factor authentication using SecurID, you must have an existing SecurID AAA Server object on the BIG-IP APM to use. Configure Authentication at StoreFront using NetScaler Gateway. To perform the configuration on the NetScaler: Navigate to the XenApp and XenDesktop option, and click the Get Started button. On the next screen, select StoreFront and click Continue. Next, enter the NetScaler Gateway information. CITRIX NETSCALER & STOREFRONT Changing workforce dynamics have clear implications for remote access: Access must be secure, and the security controls for remote access must also be convenient for end users. RSA SecurID® Access enables businesses to empower employees, partners and contractors to do more without compromising security or convenience. NetScaler Gateway Information This guide demonstrates how to deploy Citrix NetScaler in conjunction with StoreFront and XenDesktop with a focus on both simplicity in configuration and advanced features not easily delivered with other products.

NetScaler Gateway

I. The following steps details how to create the Session Policy for Web Browser Based Access.

1. To create session policy, navigate to NetScaler Gateway > Policies > Session.
2. In the Session Policies field, click Add.
3. In the Name field, type the name of the Session Policy. For example, Web_Browser_Policy.
4. Click the box with the + sign.
5. Type in the Name of the new Session Profile in the Configure NetScaler Gateway Session Profile window.

6. In the Client Experience tab, enable the following settings:

   • Enable Clientless Access and set it to Allow
   • Enable Single Sign-on to Web Application
   • Enable Plug-in Type to Windows/MAC OS X
7. In the Security tab, enable Default Authorization Actions and set it to ALLOW.

8. In the Published Application tab, enable the following settings:

• Enable ICA Proxy and set it to ON.
• Enable and configure Web Interface Address - FQDN of the Storefront server followed by the path to the store for web
• Enable and configure Single Sign-on Domain - NetBIOS name for the domain
• Click Create

9. If you are using Classic Policy expression, In the expression field, add the information listed below and click Create.
   REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
   If using Advanced Policy expression, In the expression field, add the information listed below and click Create.
   HTTP.REQ.HEADER('User-Agent').CONTAINS('CitrixReceiver').NOT​
   Note: This policy is needed in order for the NetScaler to differentiate between web browser based and Citrix Receiver based connections. This policy will be applied to web browser based connections.

II. The following steps details how to createthe Session Policy for Citrix Receiver for Windows or Mac, and Mobile Devices on NetScaler Gateway:

1. Navigate to NetScaler Gateway > Policies > Session.
2. In the Session Policies field, click Add.
3. In the Name field, type the Name of the Session Policy. For example, Receiver_Policy
4. Click the box with the + sign.
5. Type in the Name of the new Session Profile in the Configure NetScaler Gateway Session Profile window.
6. In the Client Experience tab, enable the following settings:
   • Set the Home Page to None
   • Enable Split Tunnel and Set to OFF
   • Enable Clientless Access and set it to Allow
   • Enable Single Sign-on to Web Application
   • Set Plug-inType to Java
   • Uncheck Choices Choices
7. In the Security tab, enable Default Authorization Actions and set it to ALLOW.
8. In the Published Application tab, enable the following settings:
   • Enable ICA Proxy and set it to ON
   • Enable and configure Web Interface Address - FQDN of the Storefront server followed by the path to the store for web
   • Enable and configure Single Sign-on Domain - NetBIOS name for the domain
   • Enable and configure Account Services Address. The last back slash is important
   • Click Create.

9. If using Classic Policy expression, In the expression field, add the information listed below and click Create.
   REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
   
   If using Advanced Policy expression, In the expression field, add the information listed below and click Create.
   HTTP.REQ.HEADER('User-Agent').CONTAINS('CitrixReceiver')​
   
   Note: This policy is needed in order for the NetScaler to differentiate between web browser based and Citrix Receiver based connections. This policy will be applied for Citrix Receiver based connections.

Top of Page

III. The following steps details how to configure authentication on the NetScaler appliance.
Click on the following link for latest information on how to configure LDAP authentication on the NetScaler appliance.

Top of Page

IV. The following steps details how to createNetScaler Gateway Virtual Server and bind the Session Policies.

1. Navigate to NetScaler Gateway > Virtual Server and click Add to add a new virtual server.
2. After the virtual server is created, bind the specific session policy to the virtual server based on your company’s requirements.

Top of Page

StoreFront

V. The following steps details how to configure authentication for StoreFront.

1. Enable the pass-through authentication from NetScaler Gateway on StoreFront. For more information, refer to Citrix Documentation - Create and configure the authentication service.
   Note: StoreFront must trust the issuer of the NetScaler Gateway virtual server’s bound certificate (Root and/or Intermediate certificates) for the Authentication Callback service.
2. Add NetScaler Gateway to StoreFront. For more information, refer to Citrix Documentation - Add a NetScaler Gateway connection.
   Note: The Gateway URL must match exactly what the users are typing into the web browser address bar.
3. Enable remote access on the StoreFront store. For more information, refer to Citrix Documentation - Manage remote access to stores through NetScaler Gateway.

Beaconing is one aspect of StoreFront and Receiver that I get asked about frequently. Oddly enough, it’s also one of the few pieces that I get questions on from both clients AND colleagues who are working on understanding them. So this blog post will hopefully help those who may not fully understand beacons by answering these three things: What it is, Why its important, and How it works.

Citrix Receiver uses internal and external URLs as beacon points. By attempting to contact these beacon points, Citrix Receiver can determine whether users are connected to local or public networks. When a user accesses a desktop or application, the location information is passed to the server providing the resource so that appropriate connection details can be returned to Citrix Receiver. This enables Citrix Receiver to ensure that users are not prompted to log on again when they access a desktop or application.

So beacon points are just URL’s that Citrix Receiver tries to contact to figure out where it is. Is it outside the network or inside? That will of course determine if they connect directly to the StoreFront load balanced VIP on a NetScaler (if you deployed an HA pair of StoreFront servers, and you did RIGHT!?) or if it will connect via the NetScaler (Access) Gateway. By default, StoreFront is going to use your internal services URL (StoreFront LBVIP) for the internal Beacon Point, and you would want to set the external to some highly available websites that you know should always be accessible.

So to sum up in a single sentence what beacons are: Beacons are URLs that Receiver uses to determine its location and connection method based on that location.

Example screenshot from a StoreFront 2.0 deployment below.

Why Are Beacons Important?

Technically, they matter because they direct Receiver to connect to your Xen* infrastructure via the the correct method, either AGEE or SF LBVIP.

Beyond the technical reasons, beacons are important because it’s about moving away from URL’s..its inconvenient for a user to have to remember a specific URL to access their applications and/or desktops. Its another hoop that we made our users jump through to get to what they need. By eliminating that, all they need to know is to get Receiver from their respective app store. From there it’s as simple is entering their corporate email address (because you configured email based discovery, RIGHT?) and everything they need is available to them. In my opinion this is paramount because we are finally making strikes at the user experience now, leveraging Receiver and beacons to make it simple for the end-user which is what we should all strive for.

How Do Beacons Work?

So technically this should be how does RECEIVER work with beacons..but oh well. First, your internal beacon should (of course) not be resolvable externally. This is a big change from the web interface days where you normally had the same internal and external URL setup for your users to access, in fact if you used the same internal name on your StoreFront LBVIP DNS entry and external AGEE entry it will break receiver.

Most clients run split-brain DNS where they have an internal zone that is a duplicate of their external namespace (read HERE to understand more). In this case its easy, our internal beacon (by default) is your StoreFront service URL or it can be some other internal highly available server, really doesn’t matter.

Deploy Storefront Using Netscaler Vpx All About Citrix Access

Secondly, in regards to order of operations it will check internal beacons first then move to external. Another thing to be aware of is it considers ANY http response a valid response. You may have run into this, but OpenDNS is notorious because when you are external and try to resolve a (then) unresolvable internal beacon FQDN where the domain is covered by a wildcard certificate it hoses your Receiver and you can’t connect.

I should also add, beacons are provided from StoreFront to receiver in the config file..so if you go changing your internal beacons after you’re users are configured…ehh..just don’t. If you do, you have to make sure users update their configuration file via a web store or export it from StoreFront and distribute it. StoreFront is going to default to the internal services URL for internal beacon and for external it will use the NetScaler Gateway information you enter into StoreFront and Citrix.com as the primary and secondary external beacons.

Deploy Storefront Using Netscaler Vpxall About Citrix Workspace

Finally..don’t get confused..beacons are nothing more than connectivity checks..your actual StoreFront/Access Gateway URL’s are independent of the beaconing checks. Again though, use one URL for your internal StoreFront LBVIP and it should not be resolvable externally, and another URL for your Access Gateway external access. If you follow my post on deploying StoreFront you’ll be fine though, you can find it HERE.

Deploy Storefront Using Netscaler Vpx All About Citrix Connection

Hope this helps someone out there!