Publishing Citrix Apps with Citrix StoreFront

Citrix ZenApp 7.x and above uses Citrix StoreFront to deliver applications through Citrix Receiver. StoreFront manages the delivery of desktops and applications from XenApp and XenDesktop servers, and XenMobile servers in the data center to user devices. StoreFront enumerates and aggregates available desktops and applications into stores. Users access StoreFront stores through Citrix Receiver directly or by browsing to a Citrix Receiver for Web or Desktop Appliance site. Users can also access StoreFront using thin clients and other end-user-compatible devices through a XenApp Services site. 

StoreFront keeps a record of each user's applications and automatically updates their devices. Users have a consistent experience as they roam between their smartphones, tablets, laptops, and desktop computers. StoreFront is an integral component of XenApp 7.x and XenDesktop 7.x but can be used with several versions of XenApp and XenDesktop.

In Citrix Deployment, TAC can be act as Citrix NetScaler Gateway for Citrix Applications. TAC will proxy Citrix connections alternate to NetScaler Gateway.

NOTE: Currently TAC only support HTML 5 Citrix Receiver and Native Citrix Receiver proxy is not supported.

To publish Citrix apps through TAC do the Following:

CItrix StoreFront configuration

This KB article does not cover complete Citrix StoreFront configuration. Instead covers what is required to publish through TAC Gateway

There are few configuration changes needs to do on Citrix StoreFront to make this work.

  1. On Citrix StoreFront console, navigate to Stores, Go to "Receiver for website" tab and note down the receiver web site URL. This is the URL path that is going to be launched when user launch the app from TAC Gateway.
  2. Next, enable HTML5 Receiver, by go to "Manage Receiver for Website" on right side pane under "Store Services"
  3. This will open "Manage Receiver for Web Site"window. Select the website URL you wanted to activate HTML5 receiver and click Configure
  4. On the Edit Receiver for web site wizard, go to Deploy Citrix Receiver. under Deploy Citrix Receiver, select "Use Receiver for HTML5 if local Receiver unavailable" option from the Deployment option drop down.
  5. Click Apply and OK.
  6. Go to Manage NetScaler Gateways on action pane in the right side. This will open "Manage NetScaler Gateway"window.
  7. Click Add under NetScaler Gateways section to add TAC server as the NetScaler Gateway for Citrix StoreFront services. This will open "Add NetScaler Gateway configuration window.
  8. Under Genral Settings;
    1. Enter Display name to identify the instance
    2. Enter NetScaler Gateway URL. This URL is used in TAC for Citrix application's application specific public host name field in the application configuration wizard
    3. Click Next
    4. Enter secure Ticket Authority (STA) URL by click on Add under security ticket authority URL section.
      Note: you should have internal DNS resolver for this Host and make sure what HTTP type using for the URL (HTTP or HTTPS)
    5. Un-check "Enable session Reliability" checkbox.
    6. Click Next
    7.  Under Authentication settings, enter VServer IP. TAC Server's public facing IP will be the VServer IP.
    8.   Select Logon type as Domain.
    9. Enter Callback URL. Call back URL is generated with the public host name used for Citrix authentication services site in TAC. See TAC Server Side Configuration in the bottom of this article
    10. Click Create, Click Finish.

      NOTE:  If TAC servers are in array you will require to follow below isntructions: 
      • Add all TAC nodes as the NetScaler Gateway instances by repeating steps in STEP 8. for each TAC nodes in Netscaler gateway configuration VServer IP in (step 8.7) will be the public facing IP of each TAC node.
      • In each TAC instance configuration call back URL has to be the  TAC Sites public host name created for Citrix authentication services to represent each TAC server in the array node. you will add multiple Citrix Authentication Services Sites in TAC for TAC array.

  9. Enable Pass-through authentication through NetScaler gateway. 
    1. To enable Pass-Through authentication, go to Manage Authentication Methods under Store Service section in the right side pane.
    2. In the Manage Authentication Methods -Store Services, Select Pass-Through NetScaler Gateway in Methods list.
    3. Click OK.

  10. Enable Remote Access to Stores through TAC Gateways for outside access. 
    1. To Configure Remote Access to the Store, go to Configure Remote Access Settings under Store Services section in the right side pane of Citrix Store Services console.
    2. In the Configure Remote Access Settings- Store Services window, select Enable Remote Access checkbox
    3. Select " Allow users to access only resources delivered through StoreFront (No VPN Tunnel) option.
    4. Then, Select TAC Gateway servers configured as NetScaler gateway in the NetScaler Gateway appliances list. if you have multiple nodes available; select all.
    5. Click OK.
      This will allow external connection to StoreFront through TAC Gateways.

  11. Allow WebSocket connection in Citrix Policy 
    1. To allow WebSocket connection, navigate to Policy section in the left pane of Citrix Studio
    2. Create or edit the policy to allow following connections:
      • WebSockets Connections
      • WebSockets Port Number
      • WebSockets Trusted Origin Server List
    3. Select each settings and click Edit. Select Allowed, click OK.



TAC Server Configuration- Enabling Citrix Authentication to external

On TAC Server, do the following to create and publish Citrix Application

To work external access to StoreFront, TAC requires to publish Citrix Authentication service in TAC as an application. Citrix will use Citrix authentication service published site's public host name to construct Callback URL in Citrix NetScaler Gateway configuration.

If TAC is in array, it is required to create separate TAC sites that represent each TAC node and add Citrix Authentication service application in each site. Each site public host name must be entered as Callback URL in Netscaler Gateway appliances added in Step 8.9 of previous section.

  1. On TAC Configuration console, create a new secure site. Read more about how to create a secure site HERE.
    1. Enter a name for the Site.
    2. Enter a public host name for the site.
    3. select internal facing IP address in IP Address field. 
    4. Select the certificate from the drop-down list for the Site.
    5. Check "Require Server name Indication" checkbox.
    6. Do not add authentication servers in to the authentication list. Un-check "Require users to authenticate on session start" checkbox in authentication section.
    7. Click OK.

  2. Add Citrix Authentication Service application to the site.
    1. Under application section of the created site, Click Add.
    2. Select Web and Citrix Authentication Service from the Web drop down list in Add application wizard.
    3. Enter a name for the application.
    4. Click Next, Next and Finish.

For array; repeat above steps to represent each TAC nodes. Site public host name must be unique for each repeating and must be internally resolvable in internal DNS server.



TAC Server Configuration- Publishing Citrix application

To publish Citrix application in TAC do the following:

you may publish  Citrix XenApp on your existing application Site or you may create a new site. If publishing on existing site, go to Step 2.

  1. On TAC Configuration console, create a new secure site. Read more about how to create a secure site HERE.
    1. Enter a name for the Site.
    2. Enter a public host name for the site.
    3. select internal facing IP address in IP Address field. 
    4. Select the certificate from the drop-down list for the Site.
    5. Check "Require Server name Indication" checkbox.
    6. Add authentication servers in to the authentication list. 
    7. Click OK.

  2. Add Citrix application to the Site.
    1. Under application section of the created site, Click Add.
    2. Select Browser-embedded and Citrix  XenApp 7.x from the drop down list in Add application wizard.
    3. Enter a name for the application.
    4. Click Next.
    5. Select back-end server type. Single application server or Farm of application servers. Read more about application farm HERE.
    6. Enter back end application properties:
      1. Enter Citrix application server FQDN or IP.
      2. Enter the port. default is 80. If HTTPS select "Use SSL" checkbox.
      3.  Enter the path for Citrix XenApp portal. This is the path citrix portal will launch when launch from TAC portal. default is "/" . The web URL can be noted from the step 1 of Citrix StoreFront Configuration section of above.
      4. Enter application specific public host name.
      5. Click Next.
    7. Enter Secure Ticket Authority URLs under Citrix Deployment. This STA URLs must match with the NetScaler Gateway appliances configuration made in Step 8.4 .
    8. Under authentication select Single Sign On and add authentication repository, by clicking Add in the SSO section.
    9. Click Next.
    10. Under Authorization, Click Next.
    11. Under Security, Click Next.
    12. Click Finish.

Rember to Apply COnfiguration to take effect the changes. This will publish Citrix XenApp to outside world through TAC.