Citrix StoreFront for Virtual Apps and Desktops
Citrix Virtual Apps and Desktops provides virtualization solutions that give IT control of virtual machines, applications, and security while providing anywhere access for any device through Citrix StoreFront service. End-users can use applications and desktops independently of the client device's operating system and interface.
A key factor in delivering Virtual Apps and Desktops is ensuring the resilience, performance and scalability of the Virtual Desktop Infrastructure (VDI) with duplication of VDI servers and services. Load balancers are an essential component of this infrastructure as they provide a central connection point for remote users, can detect infrastructure outages, offload encryption overhead, and provide additional layers of security.
In contrast to Citrix ADC (NetScaler) load balancing that is often the default choice for StoreFront services, the Kemp LoadMaster is easy to configure, offers significant cost of ownership savings, and is supported by a world-class technical team.
Kemp LoadMaster is a drop-in load balancer replacement for Citrix ADC (NetScaler) that incudes pre-defined templates for common Citrix Virtual Apps and Desktops environments to greatly simplify deployment and ensure optimal security and performance. LoadMaster offers significant TCO savings compared to Citrix ADC and is supported a technical team that regularly achieves 99% customer satisfaction ratings.
A Virtual Service template and deployment guide was introduced with LoadMaster Operating System (LMOS) 7.2.51 to deploy a Virtual Service as a Citrix StoreFront Gateway for external publishing of Citrix Virtual Apps and Desktops deployments, so that internet clients can leverage Citrix's VDI. In previous releases, the LoadMaster only supported publishing to internal networks.
The Kemp-approved and tested template supports authentication of clients to a Citrix StoreFront endpoint that provides access to Citrix Virtual Apps and Desktops resources. Clients can log in using Citrix Workspace App, Citrix Receiver, or a browser such as Edge, Chrome, Firefox, or Safari.
Adding Virtual Services can be both repetitive and prone to error when doing this in multiple LoadMasters. Kemp have developed a general template mechanism that provides consistency and ease-of-use when creating Virtual Services.
Using templates to set up and configure a Virtual Service is a two-stage process. Initially, you must import the template into the LoadMaster. When imported, you can use the templates when adding a new Virtual Service.
This document outlines the procedure to import the Kemp Citrix Virtual Apps or Desktops(TM) template and configure it to control the flow of browser traffic and Citrix Workspace(TM)/Receiver(TM) traffic. The template creates Virtual Services, Secure Listeners, and content rules.
The downloaded template file contains the following three (3) templates:
- Citrix StoreFront Gateway: Handles Citrix Virtual Apps and Desktops traffic including Citrix StoreFront Gateway, HTTP redirect, and Connection Server VDI Listener Workspace-Receiver-2598
- Citrix StoreFront Gateway - HTML5: Handles Citrix Virtual Apps and Desktops traffic including Citrix StoreFront Gateway, HTTP Redirect, and Connection Server Listeners (HTML5-8008 and Workspace-Receiver-2598)
Citrix StoreFront Internal: This template handles internal StoreFront connections. No rewriting of the ICA file occurs. The vast majority of this document covers external configurations. For further details on internal configurations, refer to the Citrix StoreFront Internal Configuration section.
Here is a summary of what the templates create:
- StoreFront Gateway: This Virtual Service is the main endpoint and will identify whether the client is connecting using Citrix Workspace/Receiver or using a browser. This Virtual Service IP address will be configured for your external DNS record, for example citrix.domain.com which will NAT to your Virtual IP address. The StoreFront Gateway Virtual Service consists of several Sub Virtual Services:
- StoreFront Browser Auth ESP: Handles front-end authentication using the Edge Security Pack (ESP) for protocols such as RADIUS and LDAP.
- StoreFront Browser Launch HTML5 App: Handles the rewriting of the ICA file where a HTML5 WebSocket connection had been initiated.
- StoreFront Workspace-Receiver Add Account: Used where clients are required to add an account to the Citrix Workspace/Receiver application.
- StoreFront Workspace-Receiver Launch App: Handles the rewriting of the ICA file where the Citrix Workspace/Receiver application has been detected.
- Secure Listeners: The Citrix StoreFront Gateway template also creates ten (10) individual Secure Listeners which will listen on a secure port such as port 4431 and forward the connection to your VDI server on port 2598. The Citrix StoreFront Gateway - HTML5 template also creates ten (10) Secure Listeners, five (5) Secure Listeners to handle native ICA 2598 traffic, and five (5) Secure Listeners to handle HTML5 web socket 8008 traffic. These listeners correspond to specific internal VDI servers. This is explained in the Secure Listeners section of this document.
- Content Rules: The template creates several content rules with the name starting Citrix_ to support the Virtual Services and Secure Listeners. No content rules are created by the Citrix StoreFront Internal template.
- Citrix StoreFront Internal: This Virtual Service is used to handle internal StoreFront connections. When a client launches an application through StoreFront the client connection is forwarded directly to the server.
To configure Citrix Virtual Apps internally, select the Citrix StoreFront Internal template from the Use Template drop-down list.
The template is configured for SSL offloading. You can disable this if needed (Virtual Services > View/Modify Services > Modify > SSL Properties > disable SSL Acceleration).
Add your StoreFront Severs to the Virtual Service under the Real Servers section of the Virtual Service Modify screen. No additional configuration is required.
In a Citrix Virtual Apps and Desktops environment, the Kemp LoadMaster sits at the edge (behind a firewall) and accepts connections from remote clients, load balancing connections across the available StoreFront servers. The LoadMaster manages the authentication to the external authentication systems such as Active Directory or RADIUS. When StoreFront returns the ICA file to the client, LoadMaster intercepts and modifies the information with the appropriate load balanced VDI server information.
The high-level flow is as follows:
1. The client connects to StoreFront using the LoadMaster.
2. The LoadMaster authenticates the client against Active Directory (AD) and assigns an "LMData" authentication cookie.
3. The LoadMaster POSTs credentials to StoreFront where StoreFront authenticates against AD.
4. StoreFront forwards credentials to the Delivery Controller in an XML query.
5. The Delivery Controller enumerates the user's applications by querying Active Directory for the Users Security Groups and queries the database for a list of the client's applications.
6. The client selects their application where StoreFront queries the Delivery Controller to find a suitable VDI server which contains the application.
7. The Delivery Controller returns the application information back to StoreFront in an XML file.
8. StoreFront creates an ICA file with the connection details such as the IP address of the VDI server and a launch reference.
9. The LoadMaster takes the ICA file and rewrites the settings which enables the client to make a secure, publicly-resolvable connection.
10. The LoadMaster forwards the ICA file to the client where the client automatically initiates a new connection over a secure port such as port 4431.
11. The LoadMaster receives the encrypted connection, decrypts, and forwards to the chosen VDI server.
The following requirements must be met:
- You must have an authentication server configured, such as a RADIUS server or an LDAP or Active Directory Domain Controller (DC)
- You must have a Kemp LoadMaster Enterprise/Enterprise Plus subscription (or a trial license) because you must have ESP functionality enabled
- You must use the Citrix StoreFront Virtual Apps and Desktops template
- You must have a Certificate Authority (CA) certificate to decrypt the SSL traffic for external connections
- You must have external firewall rules configured for ports 443 and 4431- 4440
- LoadMaster firmware version 7.2.51 or above is recommended
Here is a list of features that are currently not supported:
- Front-end Authentication (Edge Security Pack (ESP)) smart card access
- HDX Adaptive Transport
- Front-end Authentication (ESP) for Citrix Workspace/Receiver Desktop App
- Signing of ICA file
Downloading of the ICA file is not supported where HTML5 is also required. If a client's browser is not detecting the Receiver/Workspace app and if the HTML5 "WebSockets" policy is not required, install the Citrix StoreFront Gateway template where downloading of the ICA file is supported.
You can import the Citrix StoreFront Gateway template on the LoadMaster through the Manage Templates screen located under Virtual Services in the main menu of the LoadMaster User Interface (UI).
When adding a new Virtual Service, you can select the template from the list of installed templates in the Use Template drop-down list. Selecting a template populates the Port and Protocol of the Virtual Service. When you click Add this Virtual Service, the Virtual Service is created, and the attributes of the Virtual Service are automatically configured by the template. Once loaded, you can modify the Virtual Service in the same way as a manually created one.
When a client connects to Citrix StoreFront using a browser, they must authenticate using Kemp ESP front-end authentication. This is handled in the StoreFront Browser Auth ESP Virtual Service.
Begin by navigating to Certificates & Security > LDAP Configuration in the LoadMaster UI. Create a new LDAP endpoint by typing a valid name and clicking Add. No special characters or spaces are allowed. Ensure to note the name of the LDAP endpoint because this is required in the next step. Specify the parameters for the LDAP endpoint. For further details on how to configure an LDAP endpoint, refer to the following Knowledge Base article: How to configure an LDAP endpoint.
After configuring the LDAP endpoint, go to Virtual Services > Manage SSO and add a new client-side configuration with an appropriate name.
Then, select the LDAP Endpoint as configured previously and the Domain/Realm as per your Domain Controller settings.
Idle timeout only functions correctly on Virtual Apps & Desktops 7 StoreFront 2003 or greater. Idle timeout should be set to a value greater than your Citrix StoreFront where default is 20 minutes. For example, in the screenshot above the idle timeout is set to 1800 seconds (30 minutes). When the idle timeout expires on StoreFront, it sends a logoff string which the LoadMaster will detect and clear the session.
If you are unable to upgrade to StoreFront 2003 set the idle timeout to a full working day on both the LoadMaster and "Sessionstate" on your StoreFront servers (refer to the Appendix for further details on this) otherwise clients must refresh their browser to re-authenticate.
If you would like to configure multi-factor authentication, refer to the following Kemp blog: How to do MFA with Google CAPTCHA using Kemp LoadMaster.
From the Virtual Services > Add New in the main menu of the LoadMaster UI, select the Citrix StoreFront Gateway or Citrix StoreFront Gateway - HTML5 template from the Use Template drop-down list.
This Virtual Service IP address will be configured for your external DNS record, for example citrix.domain.com 10.1.154.202 which will resolve to a Public IP address where it will be NATed to the Virtual Service IP address. Enter the Virtual Address and click Add this Virtual Service.
The Citrix StoreFront Gateway Virtual Service consists of three (3) SubVSs or four (4) if you are utilizing HTML5. These SubVSs are used to authenticate and rewrite your ICA file. The template also creates multiple Secure Listeners which are used to connect securely to your VDI servers.
Expand the SubVSs section and click Modify on the StoreFront Browser Auth ESP SubVS. Expand the Real Servers section and click Add New to add your StoreFront servers. Select the Add to All SubVSs check box (as shown above) so your StoreFront servers will be added to all SubVSs.
After Adding your StoreFront servers, update the health check URL. Replace STORENAME with the name of your Store. Modify all SubVSs to update the health check URL (as shown above).
The STORENAME is case sensitive.
On the StoreFront Browser Auth ESP SubVS, update the ESP Options settings of SSO Domain, Allowed Virtual Hosts, Logoff String and Form Authentication Path. For the Logoff String and Form Authentication Path, replace STORENAME with your StoreFront name (as shown above).
The STORENAME is case sensitive.
Logoff String: /Citrix/STORENAMEWeb/Authentication/Logoff
Form Authentication Path: /Citrix/STORENAMEWeb/PostCredentialsAuth/Login
Each of these secure listeners appear as a Virtual Service under Virtual Services > View/Modify Services in the LoadMaster UI. Modify each of the Virtual Services to add a Real Server (back-end VDI server) which will point to the corresponding VDI IP address that the template created and will be modified in the Modify the Content Rules section. Health checks are not required on these Real Servers (back-end VDI server). If one of these Real Servers (back-end VDI server) is not available, then your StoreFront Delivery Controller should not select that VDI server for application delivery.
Each Secure Listener Virtual Service offloads/decrypts the encrypted traffic and forwards on port 2598 for Workspace/Receiver and port 8008 if utilizing HTML5 WebSockets.
Below is an example of how 10 VDI Secure Listeners are mapped to specific VDI servers.
Citrix StoreFront Gateway Template
Once configured, your Virtual Services should resemble the layout shown in the screenshot above.
Citrix StoreFront Gateway - HTML5 Template
Once configured, your Virtual Services should resemble the layout shown in the screenshot above.
In the LoadMaster UI, go to Rules & Checking > Content Rules from the menu and scroll down to see the Header Modification and Body Modification rules. The template deploys Content Rules starting with Citrix_ and these are applied to the appropriate Virtual Services.
Start by modifying three (3) of the Header Modification Rules:
- Citrix_Browser_URL: Replace STORENAME with your own store name, including the forward slash.
- Citrix_Delete_AuthID: Replace STORENAME with your own store name, including the forward slash.
- Citrix_Redirect: Replace the full FQDN and path, including the forward slash.
The STORENAME is case sensitive.
The LoadMaster is going to read the ICA file and take your internal IP address and rewrite it to your external FQDN using a specific secure destination port as outlined in the Secure Listeners section. This is achieved with the following updates to the default body modification rules as shown in the screenshot below.
In the body response rules, replace the internal IP addresses with your own Citrix VDI server IP addresses. Ensure to retain port 1494 - only modify the IP address. In some environments the FQDN is returned. In this case, add the FQDN instead of the IP address while also retaining port 1494. If you are uncertain if the ICA file returns an FQDN or an IP address, complete the following steps:
1. Log into StoreFront.
2. When it asks to detect Receiver, cancel and select Already Installed.
3. Click on an application and download the ICA file.
4. Open using Notepad and note the Address= setting, as shown above.
If port :1494 is not included, then remove it from each of the rules that are shown in the above two screenshots.
In the body modification rules in the LoadMaster UI, change EXTERNAL.DOMAIN.COM in the Replacement text field to be your external URL. Again, ensure you do not change the port number because this is associated with your Secure Listener VDI Virtual Service.
Using PowerShell is an efficient method of creating new VDI listeners and content rules. The script also adds the rules to your SubVS. For further details, refer to the following Knowledge Base article: How to - Create new VDI listeners and Content Rules using PowerShell - Citrix Virtual Apps.
Alternatively, you can use the UI to create new VDI listeners and content rules by following these steps:
1. Duplicate an existing Secure Listener. You can do this in the Virtual Service modify screen by clicking Duplicate VIP.
2. Set a new name for the duplicated Virtual Service, such as Citrix - Workspace-ICA VDI-11 and change to a new unique listening port such as 4441.
3. In the Real Servers section, delete the existing Real Server, such as 192.168.1.10, and add the new VDI server IP address (for example, 192.168.1.11) or FQDN on port 2598 or port 8008 for HTML5.
4. Create an additional Replace String in Response Body content rule. Go to Rules & Checking > Content Rules > Create New.
5. Match your internal IP address and replace it with your secure external URL and with your new unique listening port.
6. Add the rule to the StoreFront Workspace-Receiver Launch App SubVS. In the SubVS, go to Advanced Properties > Show Body Modification Rules.
7. Promote new rule above the Citrix_GatewayAddress rule.
If you do not require all of the Secure Listeners, you can deactivate or delete them. Kemp recommends you simply deactivate as the Listener might be used in the future.
To deactivate a Secure Listener, follow these steps:
1. In the main menu of the LoadMaster UI, go to Virtual Services > View/Modify Services.
2. Click Modify on the relevant Virtual Service.
3. In the Basic Properties section, uncheck the Activate or Deactivate Service check box to deactivate the Virtual Service.
To enable full end-to-end security and provide the ability to re-encrypt on the Citrix Workspace Browser and Citrix Workspace Client Virtual Services, you must install a CA signed certificate.
To do this, in the LoadMaster UI go to Certificates & Security > SSL Certificates. Click Import Certificate and add the appropriate CA signed certificate.
When the certificate is installed, assign it to the StoreFront Gateway Virtual Service and all Secure Listeners.
This section outlines the Citrix StoreFront settings that you must update to support the Kemp solution. These steps are only applicable for external deployments.
It is not necessary to configure a Remote Access Gateway.
From the Citrix Studio, disable HDX because this is currently not supported. If testing within a NetScaler environment, you can keep HDX enabled. Kemp recommends disabling HDX when in production.
Enable HTTP Basic authentication and disable Pass-through from NetScaler Gateway. If testing within a NetScaler environment and you require "Pass-through", you can create a new test "Store".
As administrator, on your StoreFront servers open c:\inetpub\wwwroot\Citrix\Store\AppData and under [Application] add an entry for GatewayAddress=<External URL> as shown in the above screenshot.
Add this to each StoreFront server. If you update StoreFront, you must re-add this entry.
If using HTML5, the LoadMaster does not currently support the downloading and launching of the ICA file.
If launching from your browser, you must ensure that the browser can detect Citrix Workspace or Receiver.
If Workspace or Receiver is not installed, select Use light version.
The light version uses HTML5 WebSockets, so ensure your WebSockets Policy is Allowed.
For help with troubleshooting, refer to the following Knowledge Base article: How To - Troubleshoot StoreFront for Citrix Virtual Apps and Desktops.
This appendix outlines how to set the Sessionstate on your StoreFront servers:
1. Go to C:\inetpub\wwwroot\Citrix\STORENAME.
2. Locate sessionState timeout and set it to 600 minutes (10 hours).
This document was last updated on 21 July 2020.