Gateway

Configure Citrix Gateway session policies for StoreFront

This article describes how to configure a Citrix Gateway domain only authentication with StoreFront for users who are using Citrix Workspace app or a web browser.

StoreFront setup

Minimum requirements

  • Citrix StoreFront 2.x or 3.0

  • Citrix ADC 10.5 and higher

  • Citrix Workspace app for Windows 4.x

  • Citrix Workspace app for Mac 11.8

  • Web browser (Citrix Workspace app for Web)

  • Authentication configured on the Citrix ADC appliance as outlined in CTX108876 - How to Configure LDAP Authentication on a Citrix ADC appliance

  • SSL Certificates configured for StoreFront Server and Citrix Gateway. For details on the following topics, see StoreFront Documentation.

    ​- Install and set up for StoreFront 2.6

    • Windows 2012 Server Certificates

    • To add an SSL binding to a site

    • Installing and Managing Certificates for Citrix ADC appliance 10.5

Configure Citrix Gateway with StoreFront

Procedures to complete

Create a session policy for web browser-based access

  1. Navigate to Citrix Gateway > Policies > Session.

  2. In the Session Policies tab, click Add.

  3. In Name, type the name of the session policy. For example, Web_Browser_Policy.

  4. In Profile, click Add. The Create Citrix Gateway Session Policy page appears.

  5. Update the required fields and click Create.

    Add session policy

  6. On the Citrix Gateway Session Policies and Profiles page and select the session policy.

  7. To add a session profile, go to the Profile field and click Add. The Create Citrix Gateway Session Profile page appears.

    Assign a name to the session profile. You can check the Override Global checkboxes under all tabs to overwrite the inherited values from the global Citrix Gateway parameters. The following configuration example describes the mandatory parameters:

  8. In the Network Configuration tab, configure the following settings:

    • Kill Connections: Specify if Citrix Gateway must disconnect the connections that existed before the user logged on to Citrix Gateway, and prevent incoming connections when the user is connected and split tunneling is disabled.

      Session policy details

  9. In the Client Experience tab, configure the following settings:

    • Split Tunnel: Tunnels the traffic only for intranet applications that are defined in Citrix Gateway. Routes all other traffic directly to the internet.

    • Clientless Access: When set to ALLOW, you can access applications without installing the Citrix Secure Access client.

    • Clientless Access URL Encoding: When clientless access is enabled, you can encode the addresses of internal web applications or leave the address as plain text.

    • Clientless Access Persistent Cookie: Set this to Allow to view the state of persistent cookies in clientless access mode. A persistent cookie remains on the user device and is sent with each HTTP request.

    • Advanced Clientless VPN Mode: Enable or disable advanced Clientless VPN mode. The STRICT option blocks the classic clientless VPN mode when using the advanced clientless mode.

    • Plug-in Type: Allows access to network resources by using a single IP address and subnet mask, or by using a range of IP addresses. When disabled, Citrix Gateway sets the mode to proxy, in which you configure the source and destination IP addresses, and port numbers.

    • Single sign-on to Web Application: Enable this option to set single sign-on (SSO) for a session. When the user accesses a server, the user’s login credentials are redirected to the server for authentication.

    • Credential Index: Specify whether you want to use primary authentication or secondary authentication credentials for single sign-on to the server.

    • Single Sign-on with Windows: Enable or disable the Windows auto logon for a session. If a VPN session is established after this setting is enabled, the user is automatically logged on by using Windows credentials after the system is restarted.

    • Client Cleanup Prompt: Set this option if you want Citrix Gateway to prompt you for a client-side cache clean-up when a client-initiated session closes.

    Client experience tab settings 1

    Client experience tab settings 2

  10. In the Security tab, configure the following setting:

    • Default Authorization Actions: Set it to ALLOW to enable users to connect to network resources from iOS and Android mobile devices. Users need not establish a full VPN tunnel to access resources in the secure network.

    Security tab settings

  11. In the Published Applications tab, enable the following settings:

    • ICA Proxy: Set to ON.

    • Web Interface Address: FQDN of the StoreFront server followed by the path to the store for web.

    • Web Interface Type: Type of the web interface(IPv4/v6).

    • Single Sign-on Domain: NetBIOS name for the domain.

    Published applications tab settings

  12. Click Create.

  13. Add an expression.

    1. Click Advanced Policy and then click Expression Editor.
    2. In Expression Editor, select HTTP > REQ > HEADER and then type the parameter, such as **CitrixReceiver**. For example,

    HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

    This policy is needed for the Citrix ADC to differentiate between the web browser-based and Citrix Workspace app-based connections. This policy is applied to web browser-based connections.

Create a session policy for Citrix Workspace app for Windows or Mac, and Mobile Devices on Citrix Gateway

  1. Navigate to Citrix Gateway > Policies > Session.

  2. In the Session Policies field, click Add.

  3. In the Name field, type the name of the session policy. For example, Receiver_Policy.

  4. Type in the name of the new session profile in the Configure Citrix Gateway Session Profile window.

  5. In the Client Experience tab, enable the following settings:

    • Home Page: Set to None

    • Split Tunnel: Set to OFF

    • Clientless Access: Set to On

    • Single Sign-on to Web Application: Select the checkbox

    • Plug-in Type: Set to Java

  6. In the Security tab, set Default Authorization Actions to ALLOW.

  7. In the Published Applications tab, enable the following settings:

    • ICA Proxy: Set to ON.

    • Web Interface Address: FQDN of the StoreFront server followed by the path to the store

    • Single Sign-on Domain: NetBIOS name for the domain

    • Account Services Address: Enter the account services address. The last backslash is important. For example, https://accounts.example.com/Citrix/Roaming/Accounts

  8. Click Create.

  9. If you are using a classic policy expression, in the Expression field, add the following information and click Create.

    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

  10. If you are using an advanced policy expression, in the Expression field, add the following information and click Create.

    HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")

    This policy is required for the Citrix ADC to differentiate between the web browser-based and Citrix Workspace app-based connections. This policy is applied for Citrix Workspace app-based connections.

Configure authentication on the Citrix ADC appliance

For information about configuring LDAP authentication on a Citrix ADC appliance, see Configuring LDAP Authentication.

Create Citrix Gateway virtual server and bind the session policies

  1. Navigate to Citrix Gateway > Virtual Server and click Add to add a new virtual server.

  2. After the virtual server is created, bind the specific session policy to the virtual server based on your company’s requirements.

Configure authentication for StoreFront

  1. Enable the pass-through authentication from Citrix Gateway on StoreFront. For more information, see Configure the authentication service.

    StoreFront must trust the issuer of the Citrix Gateway virtual server’s bound certificate (Root and or Intermediate certificates) for the Authentication Callback service.

  2. Add Citrix Gateway to StoreFront. For more information, see Add a Citrix Gateway connection.

    The Gateway URL must match exactly with what the users are typing into the web browser address bar.

  3. Enable remote access on the StoreFront store. For more information, see Manage remote access to stores through Citrix Gateway.

References

Configure Citrix Gateway session policies for StoreFront