Integrate NetScaler VPX with StoreFront
Tutorial on how to Integrate NetScaler VPX with StoreFront
Refer to Provision Citrix NetScaler VPX with CLI to setup a new Citrix NetScaler VPX
Information for this lab
- Public Accessable URL – https://citrix.aventis.com.my
- Virtual IP Address – 192.168.1.238/24 assigned for citrix.aventis.com.my
- Public SSL Certificate – Let’s Encrypt Wildcard SSL Certificate
- Secure the XML traffics between Citrix StoreFront and Delivery Controller communication via HTTPS. The XML service is used for application and desktop resource enumeration including handling user name and password data from StoreFront to DDCs.
- Static A record in NetScaler VPX to resolve citrix.aventis.com.my to IP Address of StoreFront
- Authentication to AD Domain Controller via Secure LDAP (Port 636) instead of LDAP (Port 389)
Integrate NetScaler VPX with StoreFront
Static A record in NetScaler VPX
Add DNS A Record to point citrix.aventis.com.my to Internal Store Front Server (192.168.1.230)
add dns addRec citrix.aventis.com.my 192.168.1.230
Secure the XML traffics between Citrix StoreFront and Delivery Controller
Open Citrix Studio and go to Citrix StoreFront – Stores – Manage Delivery Controllers – Edit. Change the Transport Type from HTTP to HTTPS
Configuration of Citrix NetScaler VPX
Login to NetScaler and click on Configuration – Integrate with Citrix Products – XenApp and XenDesktop – Get Started
Select StoreFront and click Continue
Enter the information below
- Gateway FQDN – citrix.aventis.com.my
- Gateway IP – 192.168.1.238
- Port – 443
- Redirect requests from port 80 to secure port – ENABLED
Select the imported Let’s Encrypt wildcard SSL certificate for *.aventis.com.my
Enter StoreFront URL = https://citrix.aventis.com.my and click Retrieve Stores to populate the information for Receiver for Web Path
Enter the Default Active Directory Domain = aventis.com.my and Secure Ticket Authority URL = https://citrix-ddc.aventis.com.my. Click Test STA Connectivity to verify NetScaler VPX can communicate with Delivery Controller successfully
Refer to FAQ: Citrix Secure Gateway/ NetScaler Gateway Secure Ticket Authority to have a better understanding on STA
Enable the Secure LDAP in AD Domain Controller by refering to my previous post
Select Choose Authentication Type = Domain by filling up the information as below and click Test Connection to verify NetScaler VPX is able to communicate with AD Domain Controller via Secure LDAP successfully
Click Done to complete the setup
Download the Configuration File for NetScaler VPX and import it to StoreFront.
Import the ns-sftrust-root.cert by refering to this link if you encounter “Cannot Download File. Operation not permitted [StoreFront Trust SSL certificate is missing]”
Replace the Default Portal Theme
You will see the default portal theme as below when you are accessing to https://citrix.aventis.com.my now
Go to Configuration – Citrix Gateway – Virtual Servers and double click on _XD_192.168.1.238_443
Change the Portal Theme to RfWebUI and click DONE
Users will see the login page as below when they login to https://citrix.aventis.com.my in the future
Configuration of StoreFront
Import the NetScaler Configuration File to StoreFront
Verify the Citrix Gateway URL: is configured to point to citrix.aventis.com.my
Verify the Secure Ticket Authority URLs: to point to https://citrix-ddc.aventis.com.my/scripts/ctxsta.dll with Enabled Session Reliability checked
Session reliability keeps sessions active and on the user’s screen when network connectivity is interrupted. Users continue to see the application they are using until network connectivity resumes.
Change the Callback URL to https://citrix-lan.aventis.com.my
Ensure that citrix-lab.aventis.com.my is resolve to the Virtual IP Address of NetScaler VPX (192.168.1.238)
Call back URL is the internally accessible URL of the appliance. This is used to verify that requests received from NetScaler Gateway originate from that appliance.
Click on Manage Beacons and change the Internal Beacon to Specify beacon address: https://citrix-ddc.aventis.com.my
Refer to Configure beacon points to have a better understanding on how Beacon works
Enable Domain Pass-Throught in Manage Authentication Methods
Refer to Citrix Documnetation – User authentication to understand further on the Domain Pass-Through Authentication
Disable Auto Launch Desktop in Manage Receiver for Web Site – Client Interface Settings
Disable Required Token Consistency in Configure Store Settings – Advanced Settings
Users login from Internal Network with Laptor, iPhone & Android
Users located in Internal Network can login successfully with Web Broswer & Citrix Workspace
- 192.168.1.238 is the Virtual IP Address of NetScaler VPX
Users login from External Network with Laptor, iPhone & Android
Users can login successfully with Web Broswer & Citrix Workspace from Internet