Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Citrix StoreFront for Virtual Apps and Desktops

1 Introduction

Citrix Virtual Apps and Desktops provides virtualization solutions that give IT control of virtual machines, applications, and security while providing anywhere access for any device through Citrix StoreFront service. End-users can use applications and desktops independently of the client device's operating system and interface.

A key factor in delivering Virtual Apps and Desktops is ensuring the resilience, performance, and scalability of the Virtual Desktop Infrastructure (VDI) with duplication of VDI servers and services. Load balancers are an essential component of this infrastructure as they provide a central connection point for remote users, can detect infrastructure outages, offload encryption overhead, and provide additional layers of security.

In contrast to Citrix ADC (NetScaler) load balancing that is often the default choice for StoreFront services, the Kemp LoadMaster is easy to configure, offers significant cost of ownership savings, and is supported by a world-class technical team.

Kemp LoadMaster is a drop-in load balancer replacement for Citrix ADC (NetScaler) that includes pre-defined templates for common Citrix Virtual Apps and Desktops environments to greatly simplify deployment and ensure optimal security and performance. LoadMaster offers significant Total Cost of Ownership (TCO) savings compared to Citrix ADC and is supported a technical team that regularly achieves 99% customer satisfaction ratings.

A Virtual Service template, PowerShell script, and this deployment guide was introduced with LoadMaster Operating System (LMOS) 7.2.51 to deploy a Virtual Service as a Citrix StoreFront Gateway for external publishing of Citrix Virtual Apps and Desktops deployments, so that internet clients can leverage Citrix's VDI. In previous releases, the LoadMaster only supported publishing to internal networks.

The Kemp-approved and tested template supports authentication of clients to a Citrix StoreFront endpoint that provides access to Citrix Virtual Apps and Desktops resources. Clients can log in using Citrix Workspace App, Citrix Receiver, or a browser such as Edge, Chrome, Firefox, or Safari.

2 Virtual Service Summary

Here is a summary of the Virtual Services:

  • StoreFront Gateway: This Virtual Service is the main endpoint and will identify whether the client is connecting using Citrix Workspace/Receiver or using a browser. This Virtual Service IP address will be configured for your external DNS record, for example which will NAT to your Virtual IP address. Depending on the template selected, the StoreFront Gateway Virtual Service consists of several Sub Virtual Services:
    • StoreFront Browser Auth ESP: Handles front-end authentication using the Edge Security Pack (ESP) for protocols such as RADIUS and LDAP.
    • StoreFront Browser Launch HTML5 App: Handles the rewriting of the ICA file where a HTML5 WebSocket connection had been detected.
    • StoreFront Workspace-Receiver Pass Through: Handles pre-requests for Workspace/Receiver ESP front-end authentication.
    • StoreFront Workspace-Receiver Launch App: Handles the rewriting of the ICA file where the Citrix Workspace/Receiver application has been detected.
    • StoreFront Workspace-Receiver Auth ESP: Handles front-end authentication for Workspace/Receiver.
  • Secure Listeners: The Citrix StoreFront Gateway template also creates ten (10) individual Secure Listeners which will listen on a secure port such as port 4431 and forward the connection to your VDI server on port 2598. The Citrix StoreFront Gateway - HTML5 template also creates ten (10) Secure Listeners, five (5) Secure Listeners to handle native ICA 2598 traffic, and five (5) Secure Listeners to handle HTML5 web socket 8008 traffic. These listeners correspond to specific internal VDI servers. This is explained in the Secure Listeners section of this document.
  • Content Rules: The template creates several content rules with the name starting Citrix_ to support the Virtual Services and Secure Listeners. No content rules are created by the Citrix StoreFront Internal template.
  • Citrix StoreFront Internal: This Virtual Service is used to handle internal StoreFront connections. When a client launches an application through StoreFront the client connection is forwarded directly to the server.

3 High-Level Flow (External)

In a Citrix Virtual Apps and Desktops environment, the Kemp LoadMaster sits at the edge (behind a firewall) and accepts connections from remote clients, load balancing connections across the available StoreFront servers. The LoadMaster manages the authentication to the external authentication systems such as Active Directory or RADIUS. When StoreFront returns the ICA file to the client, LoadMaster intercepts and modifies the information with the appropriate load balanced VDI server information.


The high-level flow is as follows:

1. The client connects to StoreFront using the LoadMaster.

2. The LoadMaster authenticates the client against Active Directory (AD) and assigns an "LMData" authentication cookie.

3. The LoadMaster POSTs credentials to StoreFront where StoreFront authenticates against AD.

4. StoreFront forwards credentials to the Delivery Controller in an XML query.

5. The Delivery Controller enumerates the user's applications by querying Active Directory for the Users Security Groups and queries the database for a list of the client's applications.

6. The client selects their application where StoreFront queries the Delivery Controller to find a suitable VDI server which contains the application.

7. The Delivery Controller returns the application information back to StoreFront in an XML file.

8. StoreFront creates an ICA file with the connection details such as the IP address of the VDI server and a launch reference.

9. The LoadMaster takes the ICA file and rewrites the settings which enables the client to make a secure, publicly-resolvable connection.

10. The LoadMaster forwards the ICA file to the client where the client automatically initiates a new connection over a secure port such as port 4431.

11. The LoadMaster receives the encrypted connection, decrypts, and forwards to the chosen VDI server.

4 Requirements

The following requirements must be met:

  • For ESP pre-authentication you will require an authentication server such as a RADIUS server or an LDAP or Active Directory Domain Controller (DC).
  • For ESP you must have a Kemp LoadMaster Enterprise/Enterprise Plus subscription (or a trial license).
  • You must use the Kemp PowerShell script or Citrix StoreFront Virtual Apps and Desktops template to configure your LoadMaster.
  • You must have a Certificate Authority (CA) certificate to decrypt the SSL traffic for external connections.
  • You must have external firewall rules configured for ports 443 and 4431- 4440. This accommodates 10 VDI servers. For additional VDI servers, additional open ports are required.
  • For ESP enabled virtual services, LoadMaster firmware version 7.2.53 or above is required.
  • For virtual services without ESP enabled, LoadMaster firmware version 7.2.51 or above is required.

5 Currently Unsupported Features

In this implementation of Citrix StoreFront support, several features are currently unsupportedfuture:

  • Front-end authentication (ESP) to StoreFront using Smart Cards (client certificates) is not supported.
  • Citrix UDP ICA/HDX with Session Reliability is not supported. LoadMaster currently supports TCP ICA/HDX with Session Reliability.
  • ICA file signing - which is not enabled by default in StoreFront - is not supported.


6 Configure the LoadMaster

To configure the settings on your LoadMaster, you can either use the Kemp PowerShell script that is included in the Zip file, or the Kemp template. Kemp recommends using the PowerShell script because it removes the process of manually configuring your internal VDI server content rules, while also removing a lot of the repetitive steps relating to your Citrix StoreFront Store name. Refer to the relevant section below depending on whether you choose to use the PowerShell script or the template.

When using either the PowerShell or template-based installations, you must determine if the ICA file returned by Citrix uses IP addresses or Fully Qualified Domain Names (FQDNs) to identify the virtual application or virtual desktop. If you are uncertain if the ICA file returns an FQDN or an IP address, complete the following steps:

1. Log in to StoreFront.

2. When it asks to detect Receiver, cancel and select Already Installed.

3. Click on an application and download the ICA file.

4. Open using Notepad and take note of the Address= setting, as shown above.

5. You can also retrieve a list of VDI Server IP Addresses using the following Citrix PowerShell commands. The commands can be run on your Citrix Studio server (replace 'Machine Catalog Name' with the actual machine catalog name from your Citrix deployment):

Add-PSSnapin Citrix*

Get-BrokerDesktop -Filter {CatalogName -eq ' Machine Catalog Name'} | Select-Object -Property IPAddress | Out-File C:\vdiservers.txt.

This command will be run against each "Machine Catalogue".

6.1 Share SubVS Persistence

Kemp recommends enabling the global Share SubVS Persistence option. This change is necessary to prevent a double authentication prompt. By default, each SubVS of a Virtual Service has an independent persistence table. Enabling Share SubVS Persistence allows the SubVS to share this information.

To enable Share SubVS Persistence, follow the steps below:

1. In the LoadMaster User Interface (UI), navigate to System Configuration > Miscellaneous Options > L7 Configuration.

2. Select the Share SubVS Persistence check box.

3. Reboot the LoadMaster after enabling this option to activate it (System Configuration > System Administration > System Reboot > Reboot).

6.2 Configure using the Kemp PowerShell Script

The Kemp PowerShell script is included in the zip file downloaded from the Citrix Virtual Apps and Desktops (StoreFront) web page. The PowerShell script currently requires the use of IP addresses to identify the StoreFront and VDI servers. If your Citrix environment requires the use of FQDNs instead of IP addresses, then the proper installation method is the Kemp template. Install the Kemp PowerShell Module

For further information on the PowerShell API, refer to the PowerShell Interface Description.

You can download the wrapper from this page: LoadMaster PowerShell API Wrapper.

You can verify the Kemp.LoadBalancer.Powershell module has been properly installed using the Microsoft PowerShell command GET-Module. You should see a module named Kemp.LoadBalancer.Powershell in the list of modules returned when executing this command.

6.2.1 Installing a New Citrix Workload

There are two Kemp PowerShell scripts. One script will initially configure a LoadMaster for Citrix Virtual Apps and Desktops. The second script adds additional VDI servers to an existing Citrix environment. Both scripts are intended to be edited before they are run. There is a section titled Configure Variables in the script that needs to be updated to match your environment.

The Install Citrix script deploys Citrix in a manner that matches the two existing Citrix templates (with or without HTML5). In addition to matching the template installation, the script customizes the rules, configures the authentication services (RADIUS or LDAP), and installs the certificates for the Citrix service.

When the PowerShell script has completed, scroll through the log file for any HTTP Error Return Codes such as, 401 or 422. The log file is located in the current working PowerShell directory.

Before running the script to create the Citrix service, edit the script and change the following parameters:

  • LoadMaster admin account and password (account permissions = All Permissions)

  • LoadMaster IP address

  • Options for the use of RADIUS or LDAP. If you require ESP, one should be $True and the other should be $False. If both are set to $False, ESP will not be enabled.
  • Options to use HTML5 Web Sockets, set to $True or $False
  • RADIUS or LDAP domain name such as
  • RADIUS or LDAP server IP addresses

  • RADIUS Shared Secret (if using RADIUS)

  • RADIUS or LDAP test account and password
  • Citrix Store Name such as /Citrix/kempWeb

  • Citrix external FQDN

  • TLS certificate filename, name (alias), and password

  • Intermediate certificate filename and name (alias)
  • Citrix StoreFront Virtual Service IP address

In addition to modifying the script, ensure the following files in the working directory:

  • Text file called storefront.txt containing all StoreFront server IP addresses
  • Text file called vdiservers.txt containing all VDI server IP addresses.
  • TLS certificate in pem or pfx format to use for the Citrix service
  • Intermediate certificate for the TLS certificate in Base64 format
  • If there are additional certificates in the validation chain, you must add these manually to the LoadMaster after running the script.

When you have finished the configuration, continue to the Citrix StoreFront Settings section.

6.2.2 Updating an Existing Citrix Workload

When new VDI servers are added to you Citrix environment, it is necessary to add these to the Kemp LoadMaster. The same Citrix PowerShell command can be executed to create a text file containing the list of VDI servers in the current Citrix "Machine Catalogue".

The Kemp script to install the new VDI servers checks to see if the IP address is already configured and skips it if configured. You do not need to edit the newvdiservers.txt file to delete existing IP addresses. If you do not use the Citrix PowerShell module, you must manually create the newvdiservers.txt file.

Before running the script to add new servers, edit the script and change the following parameters:

  • LoadMaster admin account and password (with account permissions Rules, Virtual Services, and Real Servers)

  • LoadMaster IP address
  • Citrix StoreFront Virtual Service IP address
  • Text file called newvdiservers.txt.

You can create the netvdiservers.txt file by running the below command on the Citrix Studio server to get a list of IP addresses from your newly created "Machine Catalogue":

Get-BrokerDesktop -Filter {CatalogName -eq ' Machine Catalog Name'} | Select-Object -Property IPAddress | Out-File C:\newvdiservers.txt.

6.3 Configure using the Kemp Template

Adding Virtual Services can be both repetitive and prone to error. Kemp have developed a general template mechanism that provides consistency and ease-of-use when creating Virtual Services.

Using templates to set up and configure a Virtual Service is a two-stage process. Initially, you must import the template into the LoadMaster. When imported, you can use the templates when adding a new Virtual Service.

This document outlines the procedure to import the Kemp Citrix Virtual Apps or Desktops template and configure it to control the flow of browser traffic and Citrix Workspace/Receiver traffic. The template creates Virtual Services, Secure Listeners, and content rules.

ESP is only available with Enterprise and Enterprise Plus subscriptions. If you have a Standard subscription on your LoadMaster, you should import the StoreFront_for_Citrix_VirtualApps_and_Desktops_No_ESP template. Otherwise, the LoadMaster UI will generate an error and you will be unable to upload the template.

The downloaded template file contains the following five (5) templates:

  • Citrix StoreFront Gateway: Handles Citrix Virtual Apps and Desktops traffic including Citrix StoreFront Gateway, HTTP redirect, and Connection Server VDI Listener Workspace-Receiver-2598
  • Citrix StoreFront Gateway - HTML5: Handles Citrix Virtual Apps and Desktops traffic including Citrix StoreFront Gateway, HTTP redirect, and Connection Server Listeners (HTML5-8008 and Workspace-Receiver-2598)
  • Citrix StoreFront Gateway - No ESP: Handles Citrix Virtual Apps and Desktops traffic including Citrix StoreFront Gateway, HTTP redirect, and Connection Server VDI Listener Workspace-Receiver-2598. ESP Engine Disabled.
  • Citrix StoreFront Gateway - HTML5 - No ESP: Handles Citrix Virtual Apps and Desktops traffic including Citrix StoreFront Gateway, HTTP redirect, and Connection Server Listeners (HTML5-8008 and Workspace-Receiver-2598). ESP Engine Disabled.

  • Citrix StoreFront Internal: This template handles internal StoreFront connections. No rewriting of the ICA file occurs. The vast majority of this document covers external configurations. For further details on internal configurations, refer to the Citrix StoreFront Internal Configuration section.

6.3.1 Template

Kemp has developed a template containing our recommended settings for this workload. You can install this template to help create Virtual Services (VSs) because it automatically populates the settings. You can use the template to easily create the required VSs with the recommended settings. For some workloads, additional manual steps may be required such as assigning a certificate or applying port following, these steps are covered in the document, if needed.

You can remove templates after use and this will not affect deployed services. If needed, you can make changes to any of the VS settings after using the template.

Download released templates from the Templates section on the Kemp Documentation page.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description on the Kemp Documentation page.

6.3.2 Import the Template

You can import the Citrix StoreFront Gateway template on the LoadMaster through the Manage Templates screen located under Virtual Services in the main menu of the LoadMaster User Interface (UI).

6.3.3 Citrix StoreFront Internal Configuration

To configure Citrix Virtual Apps internally, select the Citrix StoreFront Internal template from the Use Template drop-down list.

The template is configured for SSL offloading. You can disable this if needed (Virtual Services > View/Modify Services > Modify > SSL Properties > disable SSL Acceleration).

Add your StoreFront Severs to the Virtual Service under the Real Servers section of the Virtual Service Modify screen. No additional configuration is required.

6.3.4 Create and Update the Virtual Services and Secure Listeners (External)

When adding a new Virtual Service, you can select the template from the list of installed templates in the Use Template drop-down list. Selecting a template populates the Port and Protocol of the Virtual Service. When you click Add this Virtual Service, the Virtual Service is created, and the attributes of the Virtual Service are automatically configured by the template. Once loaded, you can modify the Virtual Service in the same way as a manually created one. Authentication

When a client connects to Citrix StoreFront using a browser, they must authenticate using Kemp ESP front-end authentication. This is handled in the StoreFront Browser Auth ESP Virtual Service.

Begin by navigating to Certificates & Security > LDAP Configuration in the LoadMaster UI. Create a new LDAP endpoint by typing a valid name and clicking Add. No special characters or spaces are allowed. Ensure to note the name of the LDAP endpoint because this is required in the next step. Specify the parameters for the LDAP endpoint. For further details on how to configure an LDAP endpoint, refer to the following Knowledge Base article: How to configure an LDAP endpoint.

After configuring the LDAP endpoint, go to Virtual Services > Manage SSO and add a new client-side configuration with an appropriate name.

Then, select the LDAP Endpoint as configured previously and the Domain/Realm as per your Domain Controller settings.

Idle timeout only functions correctly on Virtual Apps & Desktops 7 StoreFront 1912 LTS or later. Idle timeout should be set to a value greater than your Citrix StoreFront where default is 20 minutes. For example, in the screenshot above the idle timeout is set to 1800 seconds (30 minutes). When the idle timeout expires on StoreFront, it sends a logoff string which the LoadMaster will detect and clear the session.

If you are unable to upgrade to StoreFront 1912 set the idle timeout to a full working day on both the LoadMaster and "Sessionstate" on your StoreFront servers (refer to the Appendix for further details on this) otherwise clients must refresh their browser to re-authenticate.

If you would like to configure multi-factor authentication, refer to the following Kemp blog: How to do MFA with Google CAPTCHA using Kemp LoadMaster. Citrix StoreFront Gateway Virtual Service

From the Virtual Services > Add New in the main menu of the LoadMaster UI, select a template that meets your Citrix Virtual Apps and Desktops environment.

This Virtual Service IP address will be configured for your external DNS record, for example which will resolve to a Public IP address where it will be NATed to the Virtual Service IP address. Enter the Virtual Address and click Add this Virtual Service.

The Citrix StoreFront Gateway Virtual Service consists of either two, three, four, or five SubVSs depending on the selected template. These SubVSs are used to authenticate and rewrite your ICA file. The template also creates multiple Secure Listeners which are used to connect securely to your VDI servers.

Expand the SubVSs section and click Modify on the StoreFront Browser Auth ESP SubVS. Expand the Real Servers section and click Add New to add your StoreFront servers. Select the Add to All SubVSs check box (as shown above) so your StoreFront servers will be added to all SubVSs.

After Adding your StoreFront servers, update the health check Citrix Store Name URL. Replace STORENAME with the name of your Store. Modify all SubVSs to update the health check URL (as shown above).

The STORENAME is case sensitive.

On the StoreFront Browser Auth ESP & StoreFront Workspace-Receiver Auth ESP SubVS, update the ESP Options settings of SSO Domain, Allowed Virtual Hosts, Logoff String and Form Authentication Path. For the Logoff String and Form Authentication Path, replace STORENAME with your StoreFront name (as shown above).

For non-ESP deployments, simply update your health check URL in each SubVS.

The STORENAME is case sensitive.

Logoff String: /Citrix/STORENAMEWeb/Authentication/Logoff

Form Authentication Path: /Citrix/STORENAMEWeb/PostCredentialsAuth/Login

6.3.5 Secure Listeners

Each of these secure listeners appear as a Virtual Service under Virtual Services > View/Modify Services in the LoadMaster UI. Modify each of the Virtual Services to add a Real Server (back-end VDI server) which will point to the corresponding VDI IP address that the template created and will be modified in the Modify the Content Rules section.

Each Secure Listener Virtual Service offloads/decrypts the encrypted traffic and forwards on port 2598 for Workspace/Receiver and port 8008 if utilizing HTML5 WebSockets.

Below is an example of how 10 VDI Secure Listeners are mapped to specific VDI servers.

Citrix StoreFront Gateway Template

Workspace VDI:

External VIP

VDI Servers

-> -> -> -> -> -> -> -> -> ->

Once configured, your Virtual Services should resemble the layout shown in the screenshot above.

Citrix StoreFront Gateway - HTML5 Template

Workspace VDI:

External VIP

VDI Servers

-> -> -> -> ->


External VIP

VDI Servers -> -> -> -> ->

Once configured, your Virtual Services should resemble the layout shown in the screenshot above.

6.3.6 Modify the Content Rules

In the LoadMaster UI, go to Rules & Checking > Content Rules from the menu and scroll down to see the Header Modification and Body Modification rules. The template deploys Content Rules starting with Citrix_ and these are applied to the appropriate Virtual Services. Header Modifications

Start by modifying three (3) of the Header Modification Rules:

If deploying without ESP, only one rule (Citrix_Browser_URL) must be updated.

  • Citrix_Browser_URL: Replace STORENAME with your own store name, including the forward slash.
  • Citrix_Delete_AuthID: Replace STORENAME with your own store name, including the forward slash.
  • Citrix_Redirect: Replace the full FQDN and path, including the forward slash.

The STORENAME is case sensitive. Body Modifications

The LoadMaster is going to read the ICA file and take your internal IP address and rewrite it to your external FQDN using a specific secure destination port as outlined in the Secure Listeners section. This is achieved with the following updates to the default body modification rules as shown in the screenshot below.

In the body response rules, replace the internal IP addresses with your own Citrix VDI server IP addresses, as shown above. Ensure to retain port 1494 - only modify the IP address. In some environments the FQDN is returned. In this case, add the FQDN instead of the IP address while also retaining port 1494. If you are uncertain if the ICA file returns an FQDN or an IP address, complete the following steps:

1. Internally, log in to StoreFront.

2. When it asks to detect Receiver, cancel and select Already Installed.

3. Click on an application and download the ICA file.

4. Open using Notepad and note the Address= setting, as shown above.

If port :1494 is not included, then remove it from each of the rules that are shown in the above two screenshots.

In the body modification rules in the LoadMaster UI, change EXTERNAL.DOMAIN.COM in the Replacement text field to be your external URL, as shown above. Again, ensure you do not change the port number as this is associated with your Secure Listener VDI Virtual Service. Adding Additional VDI Server Listeners

You can use the UI to create new VDI listeners and content rules by following these steps:

1. Duplicate an existing Secure Listener. You can do this in the Virtual Service modify screen by clicking Duplicate VIP.

2. Set a new name for the duplicated Virtual Service, such as Citrix - Workspace-ICA VDI-11 and change to a new unique listening port such as 4445.

3. In the Real Servers section, delete the existing Real Server, such as, and add the new VDI server IP address (for example, or FQDN on port 2598 or port 8008 for HTML5.

4. Duplicate an existing Body Response Rule (go to Rules & Checking > Content Rules > Duplicate).

5. Update the Rule Name, Match String, IP address, and update the port in the Replacement text field.

6. Match your new internal IP address and replace it with your secure external URL and with your new unique listening port.

7. Add the rule to the StoreFront Workspace-Receiver Launch App SubVS. In the SubVS, go to Advanced Properties > Show Body Modification Rules > select the new rule name from the drop-down list and click Add. Deactivate Secure Listeners

If you do not require all of the Secure Listeners, you can deactivate or delete them. Kemp recommends you simply deactivate as the Listener might be used in the future.

To deactivate a Secure Listener, follow these steps:

1. In the main menu of the LoadMaster UI, go to Virtual Services > View/Modify Services.

2. Click Modify on the relevant Virtual Service.

3. In the Basic Properties section, uncheck the Activate or Deactivate Service check box to deactivate the Virtual Service.

6.3.7 SSL Certificate

To enable full end-to-end security and provide the ability to re-encrypt on the Citrix Workspace Browser and Citrix Workspace Client Virtual Services, you must install a CA signed certificate.

To do this, in the LoadMaster UI go to Certificates & Security > SSL Certificates. Click Import Certificate and add the appropriate CA signed certificate.

When the certificate is installed, assign it to the StoreFront Gateway Virtual Service and all Secure Listeners.

7 Citrix StoreFront Settings

This section outlines the Citrix StoreFront settings that you must update to support the Kemp solution. These steps are only applicable for external deployments.

It is not necessary to configure a Remote Access Gateway.

7.1 Configure Authentication

Enable HTTP Basic authentication and disable Pass-through from NetScaler Gateway.

7.2 Troubleshooting

For help with troubleshooting, refer to the following Knowledge Base article: How To - Troubleshoot StoreFront for Citrix Virtual Apps and Desktops.

8 Appendix

This appendix outlines how to set the Sessionstate on your StoreFront servers:

1. Go to C:\inetpub\wwwroot\Citrix\STORENAME\web.conf.

2. Locate sessionState timeout and set it to 600 minutes (10 hours).


Last Updated Date

This document was last updated on 28 December 2021.

Was this article helpful?
0 out of 0 found this helpful