StoreFront 3.5 through 3.11 – Configuration for NetScaler Gateway

Last Modified: May 28, 2017 @ 11:02 am


This article applies to StoreFront versions 3.5, 3.6, 3.7,  3.8, 3.9, and 3.11.

StoreFront Config for Gateway

  1. See the NetScaler pages for instructions on configuring NetScaler Gateway for StoreFront.
  2. In the StoreFront Console, right-click the Store and click Manage Authentication Methods.
  3. Ensure Pass-through from NetScaler Gateway is selected, and click OK.
  4. If you need the SmartAccess feature, then you need to configure StoreFront to perform an authentication callback to a NetScaler Gateway Virtual Server on the same appliance that authenticated the user.
    1. If you need SmartAccess and are doing Single FQDN then the Callback FQDN must be different than the Single FQDN.
    2. If you need SmartAccess and are doing different FQDNs for Gateway and StoreFront, then the Callback FQDN is usually the same as the Gateway FQDN.
    3. Make sure the StoreFront server can resolve the Callback FQDN to a Gateway VIP (with matching certificate). One option is to edit the C:\Windows\System32\drivers\etc\hosts file and add an entry for the Callback FQDN.
    4. After configuring the HOSTS file, on the StoreFront server, open a browser and navigate to the DNS name. Make sure the Gateway vServer logon page appears.
  5. In the StoreFront Console, right-click Stores, and click Manage NetScaler Gateways.
  6. If StoreFront 3.6 or newer, notice the imported from file link on top. This is a new feature of NetScaler 11.1. See Citrix Blog Post NetScaler Gateway Deployment Configuration for StoreFront, Simplified! for details.

  7. If you’re not using the config file from NetScaler 11.1 and newer, click Add.
  8. In the General Settings page, enter a display name. This name appears in Citrix Receiver so make it descriptive.
  9. Enter the NetScaler Gateway Public URL. This can be a GSLB-enabled DNS name. Click Next.

  10. In the Secure Ticket Authority page, click Add.
  11. Enter the URL to a XenDesktop Controller. This can be http or https.
  12. Continue adding Secure Ticket Authorities (XenDesktop Controllers). Whatever Secure Ticket Authorities you add here must also be added to the NetScaler Gateway Virtual Server on the NetScaler appliance. Click Next.
  13. In the Authentication Settings page, if you have multiple Gateways (on separate appliance pairs) connecting to one StoreFront server then then you’ll need to enter the vServer IP address (VIP) of the NetScaler Gateway Virtual Server so StoreFront can differentiate one NetScaler Gateway from another. If there’s only one Gateway communicating with this StoreFront server group, then leave the VServer IP address field empty.
  14. If you need SmartAccess, then enter the Callback URL.
    • The Callback URL must resolve to any NetScaler Gateway VIP on the same appliance that authenticated the user. For multi-datacenter, edit the HOSTS file on the StoreFront server so it resolves to NetScaler appliances in the same datacenter.
    • The Callback URL Gateway Virtual Server must have a trusted and valid (matches the FQDN) certificate.
    • The Callback URL Gateway Virtual Server must not have client certificates set to Mandatory.
  15. If you don’t need SmartAccess then leave the Callback URL field empty.
  16. If you enabled two-factor authentication (LDAP and RADIUS) on your NetScaler, change the Logon type to Domain and security token. Otherwise leave it set to Domain only.
  17. Click Create.
  18. Then click Finish.
  19. Right-click a store and click Configure Remote Access Settings.
  20. Check the box next to Enable Remote Access.
  21. Leave it set to No VPN tunnel.
  22. Check the box next to the NetScaler Gateway object you just created and then click OK.
  23. Then in the StoreFront console, right-click Server Group and click Propagate Changes.

NetScaler Gateway Logon Page Theme

To make the NetScaler Gateway logon page look like Receiver 3.0 and newer, see one of the following:

Single FQDN


Traditionally Receiver required separate FQDNs for StoreFront Load Balancing (internal) and NetScaler Gateway (external). Recently Citrix made some code changes to accept a single FQDN for both. This assumes that external users resolve the Single FQDN to a NetScaler Gateway VIP and internal users resolve the same FQDN to StoreFront Load Balancing VIP.

Single FQDN has the following requirements:

  • Receivers:
    • Receiver for Windows 4.2 or newer
    • Receiver for Mac 11.9 or newer
    • Mobile Receivers
    • It doesn’t seem to work with Linux Receiver
  • StoreFront 2.6 or newer
  • Split DNS – different DNS resolution for internal vs external
  • NetScaler 10.1 or newer

This section assumes NetScaler Gateway is in ICA Proxy mode. Different instructions are needed for when ICA Proxy is off. See for more information.

If you don’t care about email-based discovery then the configuration of Single FQDN is fairly simple. Sample DNS names are used below. Make sure the certificates match the DNS names.

  1. Internal DNS name = the Single FQDN (e.g. Resolves to internal Load Balancing VIP for StoreFront. Set the StoreFront Base URL to this address.
  2. External DNS name = the Single FQDN (e.g. Resolves to public IP, which is NAT’d to NetScaler Gateway VIP on DMZ NetScaler. Set the NetScaler Gateway object in StoreFront to this FQDN.
  3. If you need SmartAccess, then the Callback URL = any DNS name (e.g. that resolves to a NetScaler Gateway VIP on the same DMZ NetScaler appliance that authenticated the user.

    • Callback is optional if you don’t need SmartAccess features.
    • The callback DNS name must be different than the Single FQDN.
    • Your external NetScaler Gateway certificate could match both the Single FQDN and the Callback FQDN. Or you can create separate NetScaler Gateway Virtual Servers on the same appliance with separate certificates that match these FQDNs.
  4. Internal Beacon = any internal website URL that is not externally accessible. You can’t use the Single FQDN as the Internal Beacon. Ideally, the Internal Beacon should be a new DNS name that resolves to the StoreFront Load Balancing VIP. However, this requires the StoreFront Load Balancing Virtual Server to have a certificate that matches both the Single FQDN and the Internal Beacon. See CTX218708 How to Configure Internal Beacon for Single FQDN on StoreFront.

    • If are using Receiver for iOS internally then be aware that Receiver for iOS handles the Internal Beacon differently than Receiver for Windows. Receiver for iOS will append /Citrix/Store/discovery to the Internal Beacon and thus it only works if the Internal Beacon DNS name resolves to the StoreFront server. Since you can’t use the StoreFront Base URL as the Internal Beacon you’ll need a different DNS name that resolves to the StoreFront servers and matches the StoreFront certificate. Note: if you are not allowing internal iOS devices then this isn’t needed.
  5. Make sure the DMZ NetScaler resolves the Single FQDN to the internal StoreFront Load Balancing VIP. You typically add internal DNS servers to the NetScaler. Or you can create a local Address Record for the Single FQDN.
  6. In the NetScaler Gateway Session Profiles, set the Web Interface Address and the Account Services Address to the Single FQDN.

  7. That’s all you need to implement Single FQDN. If you made changes to an existing StoreFront deployment, then you might have to remove accounts from Receiver and re-add the account.

If you need email-based discovery then here’s an example configuration for ICA Proxy NetScaler Gateway:

  • External DNS:
    • resolves to public IP, which is NAT’d to NetScaler Gateway VIP on DMZ NetScaler.
    • If email-based discovery, SRV record for points to
  • External publicly-signed certificate for NetScaler Gateway:
    • One option is wildcard for * Assumes email suffix is also
    • Another option is the following Subject Alternative Names:
      • – for callback URL. Only accessed from internal.
        • Or you can create a separate Gateway vServer for callback with a separate certificate.
      • If email-based discovery,
  • Internal DNS:
    • resolves to Load Balancing VIP for StoreFront
    • – resolves to NetScaler Gateway VIP on DMZ NetScaler. For authentication callback.
    • For the internal beacon, FQDN of any internal web server. Make sure this name is not resolvable externally.
    • If email-based discovery, SRV record for points to
  • Internal certificate for StoreFront Load Balancing: publicly-signed recommended, especially for mobile devices and thin clients. Also can use the external certificate.
    • One option is wildcard for * Assumes email suffix is also
    • Another option is the following Subject Alternative Names:
      • If email-based discovery,

StoreFront Configuration:

  • Base URL =
  • Internal beacon = Or FQDN of internal web server. Make sure it’s not resolvable externally.
  • Gateway object:
    • Gateway URL =
    • Callback URL =

Receiver for Web session policy (basic mode or ICA Only is checked):

  • Policy expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
  • Client Experience tab:
    • Home page =
    • Session Timeout = 60 minutes
    • Clientless Access = Off
    • Clientless Access URL Encoding = Clear
    • Clientless Access Persistent Cookie = Deny
    • Plug-in Type = Windows/Mac OS X
    • Single Sign-on to Web Applications = checked
  • Security tab:
    • Default authorization = ALLOW
  • Published Applications tab:
    • ICA Proxy = On
    • Web Interface address =
    • Web Interface Portal Mode = Normal
    • Single Sign-on Domain = Corp

Receiver Self-Service session policy (basic mode or ICA Only is checked):

    • Policy expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
    • Client Experience tab:
      • Session Timeout = 60 minutes
      • Clientless Access = Off
      • Clientless Access URL Encoding = Clear
      • Clientless Access Persistent Cookie = Deny
      • Plug-in Type = Java
    • Security tab:
      • Default authorization = ALLOW
    • Published Applications tab:
      • ICA Proxy = On
      • Web Interface address =
      • Web Interface Portal Mode = Normal
      • Single Sign-on Domain = Corp
      • Account Services address =

Multiple Datacenters / Farms

Multisite NetScaler Gateway and StoreFront Design

If you have StoreFront (and NetScaler Gateway) in multiple datacenters, GSLB is typically used for the initial user connection but GSLB doesn’t provide much control over which datacenter a user initially reaches. So the ultimate datacenter routing logic must be performed by StoreFront.

StoreFront chooses datacenters at the farm level. Thus StoreFront assumes that each datacenter has a separate XenApp/XenDesktop farm.

  • Citrix is beginning to add more zone-based features to support single farms stretched across datacenters, but this functionality is not yet fully realized. The current challenge with stretched farms is that SQL is in only one datacenter.

StoreFront can enumerate icons from multiple farms. If there are identical icons in multiple farms, then the icons can be aggregated so that only a single icon is displayed to the user. When the user clicks the icon, StoreFront then needs to select a datacenter (select a farm). This is typically done based on the user’s Active Directory group membership. Farms can be prioritized (active/passive). Or farms can be active/active load balanced.

After the datacenter (farm) is selected, Optimal Gateway directs the ICA connection through the NetScaler Gateway that is closest to the destination VDA. Optimal Gateway requires datacenter-specific DNS names for NetScaler Gateway.

There are two methods of configuring icon aggregation in StoreFront:

  • The StoreFront Console can do simple configurations – The console supports a single aggregation group and active/passive configurations for multiple Active Directory user groups. One Active Directory user group could have Farm A as active and Farm B as passive. A different Active Directory user group could have Farm B as active and Farm A as passive. This is also known as “Home Sites”
  • Complex configurations can be performed in XML files – For example, you can load balance connections across two identical farms (active/active). See Citrix Docs – Set up highly available multi-site store configurations

Note: if you have existing subscriptions/favorites, then enabling icon aggregation will cause the existing subscriptions to be ignored. You can migrate the existing subscriptions by exporting, modifying, and importing. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions.


Here’s a typical active/active XenApp/XenDesktop configuration:

  • Farms: Separate XenApp/XenDesktop farms in each datacenter. This is required for two reasons: HDX Optimal Routing, and assigning users to Home Sites.
    • Zones are not yet an effective option. Citrix is still working on adding zone functionality.
  • NetScaler Gateways: For AppFlow reporting, NetScaler Gateway ICA Proxy is typically used both externally and internally. Externally it is required. Internally it is used to generate AppFlow data.
  • FQDN: Internal users and external users use the same FQDN (e.g.
    • Externally, resolves to a NetScaler Gateway VIP.
    • Internally, resolves to a StoreFront Load balancing VIP. This allows pass-through authentication. If the internal DNS name resolved to a NetScaler Gateway VIP then pass-through authentication would not work. However, NetScaler Gateway is sometimes needed internally for certain authentication configurations (e.g. Smart Card, SAML, two-factor, etc.)
  • Delegation: is delegated from internal DNS and public DNS to NetScaler ADNS (internal and external).
    • This DNS name is bound to one NetScaler GSLB vServer that has two active GSLB services. If internal, the GSLB services contain the internal StoreFront Load Balancing VIP in each datacenter. If external, the GSLB services contain the public NetScaler Gateway VIP in each datacenter.
    • You can use a proximity GSLB load balancing method to select the closest datacenter.
    • GSLB persistence is required for the duration of the StoreFront session. GSLB vServer Source IP persistence is probably not effective internally so GSLB Service Site Persistence (cookies) is preferred. Or GSLB static proximity can take care of persistence.
    • For the public DNS name, NetScaler in one datacenter must monitor the Internet circuit in the other datacenter so it doesn’t give out the public IP of the other datacenter if that datacenter’s Internet circuit is down. One option is to bind a TCP monitor to the remote GSLB service. The TCP monitor contains the public IP address of the NetScaler Gateway in the remote datacenter.
  • Single NetScaler: If one NetScaler is doing GSLB for both internal and external:
    • You probably want different GSLB monitoring methods for internal vs external. If Internet goes down in one of the datacenters, then you probably don’t want that to affect internal GSLB. This also means that MEP must be routed across the internal DCI (datacenter interconnect) instead of across the Internet.
    • You can’t bind the same DNS name to two different GSLB vServers. One workaround is to configure external GSLB for and configure internal GSLB for The internal DNS servers have a CNAME (alias) from to so that the DNS request that reaches internal NetScaler ADNS is actually for Then you can have two different GSLB vServers with different GSLB services with different monitoring configurations.
  • StoreFront Server Groups: Separate StoreFront Server Groups in each datacenter.
    • Citrix doesn’t support stretching a single StoreFront Server Group across a WAN link.
    • Each Server Group is configured identically. You can export the config from one Server Group and import it to the other. Or configure each of them separately but identically. Identical means: same Base URL, same farms (Manage Delivery Controllers), same SRID, same Gateways, and same Beacons.
    • If subscriptions/favorites are enabled, use PowerShell commands to configure subscription replication between the two Server Groups.
  • StoreFront Load Balancing: StoreFront load balancing VIP can be active/passive. Active = the StoreFront servers in the local datacenter. Passive = the StoreFront servers in the remote datacenter.
    • Create two Load Balancing vServers: one for local StoreFront, one for remote StoreFront. In the Active (local) Load Balancing vServer, add the Protection section and configure the Backup (remote) vServer.
    • This configuration allows you to configure NetScaler Gateway Session Policies with the IP address of StoreFront Load Balancing instead of a GSLB DNS name. The active/passive VIP allows NetScaler Gateway to connect to StoreFront even if StoreFront in the local datacenter is down.
  • Icon aggregation: Configure StoreFront to aggregate icons from the two farms as detailed below.
    • Use AD groups to specify a user’s home datacenter as detailed below. The user’s roaming profile and home directory are in the user’s home datacenter.
    • Configure farm priority based on AD groups. For an aggregated icon, the AD group determines which farm the icon is launched from.
  • HDX Optimal Routing: Use HDX Optimal Routing to route ICA traffic through the NetScaler Gateway that is closest to the destination farm. This requires datacenter-specific DNS names (e.g.,
    • The datacenter-specific DNS names are delegated to NetScaler ADNS.
    • NetScaler GSLB for these DNS names is configured for active/passive: if the specific datacenter is up, then give out that IP. If the specific datacenter is down, then give out the IP of the other datacenter.
    • The GSLB Services contain the internal or public VIPs of NetScaler Gateway in each datacenter.
    • If these DNS names are added to StoreFront for both Authentication and HDX Routing, then you can use one of these DNS names to connect to StoreFront in a specific datacenter. This is helpful for testing.
  • STAs: each StoreFront Server Group uses STAs in the local datacenter. Since ICA Traffic could end up on either NetScaler, all STAs must be added to all NetScaler Gateways.
  • Beacons: the internal beacon is critical. If the internal beacon is down then Receiver Self-service won’t be able to determine if the client device is internal or not. GSLB can be used for the internal beacon DNS name.

Icon Aggregation and Home Sites

To configure icon aggregation using the StoreFront Console:

  1. In StoreFront Console, go to Stores, right-click your Store, and click Manage Delivery Controllers.
  2. Add multiple farms. Typically, each datacenter is a separate farm.
  3. After adding multiple farms, the Configure button becomes available. Click it.
  4. If you are publishing identical resources from multiple farms, click the link to Aggregate resources.
  5. Select the farms with identical resources that you want to aggregate.
  6. If StoreFront 3.6 and newer, notice the new checkboxes on the bottom. You can now load balance farms instead of doing farm failover only. If load balancing farms, the farms no longer need to be identical.
  7. Click Aggregate. Click OK when done.
  8. Note: if you have existing subscriptions/favorites, then enabling icon aggregation will cause the existing subscriptions to be ignored. You can migrate the existing subscriptions by exporting, modifying, and importing. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions.
  9. Click Map users to controllers.
  10. If you want the same farm failover (active/passive) or farm load balancing (StoreFront 3.6 and newer) settings for everyone, then leave the User Groups page set to Everyone. Or if you intend to have different home sites for different users, add a user group that contains the users that will be homed to a particular datacenter. You can run this wizard multiple times to specify different home sites for different user groups. Click Next.
  11. In the Controllers page, click Add.
  12. Select the farms that these users will have access to, and click OK.
  13. If you configured farm aggregation without load balancing, then use the up and down arrow buttons to put the active site on top. The lower priority sites will only be accessed if the primary site is down. You can run this wizard multiple times to specify different active sites for different users.
  14. If farm aggregation is configured for load balancing (StoreFront 3.6 and newer), then there are no arrows to prioritize the farms.
  15. Click Create.
  16. You can click Add to add more user mappings. If you add multiple user groups, you can assign different primary farms to each Active Directory group. This is how you configure “home sites”. Click OK twice when done.

Shaun Ritchie Citrix StoreFront High Availability and Aggregation – A dual site Active Active design has a sample multi-site configuration using XML Notepad and explains how to use the Primary and Secondary keywords to override farm priority order.

Citrix Blogs StoreFront Multi-Site Settings: Some Examples has example XML configurations for various multi-datacenter Load Balancing and failover scenarios.

When Citrix Receiver switches between StoreFront servers in multiple datacenters, it’s possible for each datacenter to be treated as a separate Receiver site. This can be prevented by doing the following. From Juan Zevallos at Citrix Discussions: To have multiple StoreFront deployments across a GSLB deployment, here are the StoreFront requirements:

  • Match the SRID – in StoreFront, if you use the same Base URL in the 2 separate installations, then the SRID should end up being identical. If the Base URL is changed after the initial setup, the SRID doesn’t change. The SRID can be safely edited in the \inetpub\wwwroot\Citrix\Roaming\web.config file. It will be replicated into the discovery servicerecord entry in the Store web.config which can be edited as well or refreshed from the admin console by going into Remote Access setup for the store and hitting OK. Make sure to propagate changes to other servers in the group.
  • Match the Base URL
  • Match the Delivery Controller names under “Manage Delivery Controllers” – The XML brokers can be different, but the actual name of the Delivery Controller/Farm must be identical. Here’s the exact setting I’m referring to:

If you are running XenApp / XenDesktop in multiple datacenters, you must design roaming profiles and home directories correctly.

HDX Optimal Routing

The Optimal Gateway feature lets you override the NetScaler Gateway used for ICA connections. Here are some scenarios where this would be useful:

  • Multi-site Load Balancing. If the icon selected by the user is published from XenApp/XenDesktop in Datacenter A, then you probably want the ICA connection to go through a NetScaler Gateway Virtual Server in Datacenter A. If the main DNS name for accessing NetScaler Gateway is GSLB load balanced across datacenters, then you need additional datacenter-specific DNS names so you can control which datacenter the ICA connection goes through. Note: Optimal Gateway is applied at the farm/site level or zone level (for stretched 7.7+ farms).
  • NetScaler Gateway for internal connections (AppFlow). If you want to force internal users to go through NetScaler Gateway so AppFlow data can be sent to Citrix Insight Center then you can do that using Optimal Gateway even if the user originally connected directly to the StoreFront server. See CTX200129 How to Force Connections through NetScaler Gateway Using Optimal Gateways Feature of StoreFront for more information.
  • The NetScaler Gateway Virtual Server requires user certificates. If ICA traffic goes through a NetScaler Gateway Virtual Server that requires user certificates (e.g. Smart Card), then each session launch will result in a PIN prompt. To prevent these extra prompts, build a separate NetScaler Gateway Virtual Server that doesn’t have user certificates as Mandatory. Use Optimal Gateway to force ICA connections through the other NetScaler Gateway Virtual Server. Note: SmartAccess Callback URL also cannot use a NetScaler Gateway Virtual Server where client certificates are set to Mandatory so the extra NetScaler Gateway Virtual Server would be useful for that scenario too.

Optimal Gateway can be configured in the StoreFront Console:

  1. Right-click Stores, and click Manage NetScaler Gateways.
  2. Add more Gateways: one for each datacenter.
  3. When adding a Gateway, you can designate a Usage or role. The Gateway accessed through the active/active GSLB DNS name should be set to Authentication and HDX routing.
  4. The Gateways for Optimal Routing could be set to HDX routing only. Or if test users will use these datacenter-specific DNS names to connect to Gateways in specific datacenters, leave them set to Authentication and HDX routing. There’s no harm in leaving all of the Gateways set to Authentication and HDX routing.

  5. Go to Stores, right-click a store and click Configure Store Settings.
  6. Go to the Optimal HDX Routing page.
  7. Highlight one of the datacenter-specific Gateways and click Manage Delivery Controllers.
  8. Select the farms that are accessible through this gateway and click OK.
  9. Repeat for the other datacenter-specific Gateways. The Gateway for the active/active GSLB-enabled DNS name doesn’t need any farms associated with it.
  10. If you only want the Gateways to be used for external users, check the boxes for External only. Otherwise the Gateway routing will be used for both internal and external connections.
  11. Another option for Optimal Gateway selection is zones. In XenApp/XenDesktop 7.7 and newer, you can stretch a farm across datacenters (zones) and use a different Gateway for each zone. Highlight a Gateway. Click Manage Zones and add the zone name. This assumes the zone name has also been specified in the Manage Delivery Controllers dialog box > Advanced Settings.
  12. Click OK when done.
  13. In summary, users will connect to the GSLB-enabled Gateway and login. After clicking an icon, HDX will be routed through one of the datacenter-specific Gateways based on the farm the icon was launched from.

Multiple Gateways (GSLB) to One StoreFront

This section applies to SmartAccess and the Callback URL. If you don’t need SmartAccess then skip this section.

The Callback URL must go to the same appliance that authenticated the user. If you have multiple appliance pairs communicating with a single StoreFront server, then StoreFront needs to identify which NetScaler appliance pair the request came from so it can perform a callback to that appliance pair.

If each of the NetScaler Gateways uses the same DNS name (GSLB), then you can’t use the DNS name to distinguish one appliance from the other. Instead, StoreFront can use the Gateway VIP to distinguish appliances so the callback goes to the correct appliance.

  1. Create datacenter-specific callback DNS names. For example: and
  2. The datacenter-specific callback DNS name must match the certificate on the NetScaler Gateway Virtual Server. Here are some options to handle the certificate requirement:
    • On the main NetScaler Gateway Virtual Server, assign a wildcard certificate that matches both the GSLB name and the datacenter-specific callback name.
    • On the main NetScaler Gateway Virtual Server, assign an SSL certificate with Subject Alternative Names for both the GSLB name and the datacenter-specific callback name.
    • Create an additional NetScaler Gateway Virtual Server on the appliance. Bind a certificate that matches the datacenter-specific name.
  3. In the StoreFront console, create multiple NetScaler Gateway appliances, one for each datacenter.
  4. Give each of the gateway objects unique names.
  5. Enter the same NetScaler Gateway URL in all of the gateway appliances.
  6. In the VServer IP address field, enter the Gateway VIP for this particular appliance pair. StoreFront will use this VIP to distinguish one NetScaler appliance from another.
  7. The callback URL must be unique for each NetScaler appliance pair (e.g. The callback URL must resolve to a NetScaler Gateway VIP on the same appliance pair that authenticated the user.
  8. Configure name resolution for the datacenter-specific callback DNS names. Either edit the HOSTS file on the StoreFront servers or add DNS records to your DNS servers.
  9. When enabling Remote Access on the store, select both Gateway appliances. Select one as the default appliance.

Related Pages

83 thoughts on “StoreFront 3.5 through 3.11 – Configuration for NetScaler Gateway”

  1. hi Carl,

    Currently, I have one store, users come in externally thru Netscaler Internally, they go to storefront directly via Receiver SSO is my base URL for storefront.

    We have a requirement to add netscaler internally to be able to do 2 factor auth.

    Should I create the internal netscaler VIP the same as my base URL so that users don’t have to update the receiver settings?

    Since its on the same domain netscaler and storefront, do I use the same IP and DNS name ( for the set up on storefront and netscaler? would that work?

    1. It will probably work. This is known as Single FQDN since you’re using the same FQDN for StoreFront and NetScaler Gateway. The DNS name needs to resolve to the Gateway. The StoreFront servers need Loopback enabled and set to OnUsingHttp. The Internal Beacon address must be something different than the Single FQDN. Add the Single FQDN into StoreFront as another Gateway object and bind it to the store. Note: your Store will have two Gateways – one for, and another for But only one of them can be the default (probably Since you’re adding a Gateway, which modifies the provisioning file, you’ll probably need to remove accounts from Receiver and re-add.

      1. thank you carl

        Right now if I add to my receiver the external address,, it will connect thru netscaler at first when when I check the account settings it has the internal base URL on the receiver settings –….

        is this because of the internal beacon pointing to the base URL?

        Is there a way to turn off access to the storefront directly, forcing users to come thru netscaler?

          1. Good information.

            Alternatively to accomplish what I want to do by having my internal users all go thru the netscaler and be prompted for 2 factor everytime they launch the receiver , without having to update the receiver settings.

            I was thinking about changing the base URL to something else:

            base URL: base.domain,com
            external netscaler:
            internal netscaler: (which is what their current receiver is pointing to so I don’t have to change this)

            although, after reading the article its says that the: “Gateway will connect to its configured Account Services address, and download the Provisioning File from StoreFront” and “The actual connection process is controlled by the contents of the Provisioning File, not the Discovery address.”

            does this mean that it will send users to and after the initial pull they will not longer be prompted to enter 2 factor auth? essentially going to the storefront directly

          2. Yep. If the Internal Beacon is reachable, then Receiver will connect directly to the Base URL. When you entered for Discovery has no effect on how Receiver actually connects.

  2. BIG Thanks Carl for your work! Im studying citrix and have a one question:
    “How can I set up authentication with a token and a domain account ? That is, external users (third party users) must log in through the token (the usb key with the certificate issued in my organization), and the users from my organization under the domain account. Which way to look to set it up?”
    I have one netscaler, one storefront and one store
    Thanks for any help!

    1. Internal users authenticate directly with StoreFront, which is domain only.

      External users authentication with NetScaler Gateway, which has both configured.

      If you want organization PCs to skip two-factor when external, then one option is nFactor for Gateway.

      1. I probably didn’t write correctly. I mean, internal users are users from my organization who work remotly
        over internet (not used any vpn). They have domain account and want connect citrix use domain auth . External users are users not from my organization and we give them tokens. Can they both (internal and external users) connect to store though Netscaller ?

          1. In fact, in any case, a domain account will be used independently by an internal or external employee. There are differentiation at the policy level. One user can access by token, another by login / password. And if possible, divide it in authorization groups.

          2. How do you distinguish one vs the other? What does “policy level” mean? Are you saying that internal users are in one OU but external users are in a different OU?

  3. Carl,

    I have a client that is wanting external traffic to route through a netscaler in the DMZ and internal traffic to route through a different netscaler in the secure network. Just when I thought I had something working, I ran in to another issue. Currently, I reach storefront from both netscalers, but receiver continously says Connection in progress on the internal Netscaler. External authenticates and delivers applications without issue. Any help would be greatly appreciated.

    1. Same DNS name for internal and external?

      Has it ever worked internally?

      Is ICA Only checked on the internal Gateway?

      1. Same DNS name for both internal and external.

        Internal worked prior to getting external to work. If I move the DDCs to each gateway in HDX Routing, I can get either one to work at any given time but never both at the same time.

        ICA only is checked on both right now.

          1. I have two because I was under the impression that in order to get both external and internal to work with SSO, I needed to have a callback for both going to each netscalers NG VIP. Correct me if I am wrong.

          2. Callback is not needed for SSO. Callback is needed for SmartAccess and FAS, but not SSO. If you don’t need Callback, then remove it, remove the second gateway object, and see if that works.

          3. Also, I figured I would mention, when I get it to work internally, what I am seeing externally is this.


            It is treating external connections as though they are in internal connection. What would cause this to not perform the SSL offload.

  4. Carl is possible to deploy a provisional file .CR with SCCM because I need configure 100 accounts with receiver and one store configure with second factor on NS.

    1. It looks like you can run “C:\Program Files (x86)\Citrix\ICA Client\Receiver\SRProxy.exe” “PathToCRFile”. However, I’m not sure if this can be run silently.

      A better option is to use group policy to delivery the Store address to Receiver.

  5. Good article, nice details. It got me about 98% success. The one thing that I had to do that wasn’t mentioned is that the Certificate used on both the Netscalers and Storefront servers has to have the Callback URL listed as a SAN on it. Without the URL on the Certs I continued to get “Cannot complete your request” errors

    1. The certificate on the Callback URL destination has to be valid: name matches, not expired, trusted. Name matches could include subject alternative names. Or you can have a different Gateway VIP with a different regular certificate.

  6. Hi Carl, I had some questions regarding designing a global Citrix XenDesktop/XenApp with a single FQDN URL to be used across 3 regions (North America, Europe, & Asia Pacific) that are 3 POD sites (some with zones). The details:

    NA is POD site 1 and is the primary zone. This is where the SQL database exists. It also has a secondary satellite zone. Each zone will have their own controllers, storefronts, & VDAs.

    EU is POD site 2 and is the primary zone. This is where the SQL database exists. It also has a secondary satellite zone. Again each zone will have their own controllers, storefronts, & VDAs.

    AP is POD site 3 and is the primary zone by default and no other zones will exist. So here the SQL database exists, controllers, storefronts, VDAs, etc.

    Each zones across the regions have NetScaler presence (whether virtual or physical).

    My questions are:

    What would be the best way to have all these zones\sites use 1 single FQDN URL?

    For internal users they should be able to connect to their local SF VIP?

    For external user, not so sure, but am thinking maybe to implement a NS gateway at the primary zones only?

    But then how would it distinguish the public IP for the single URL all the way back to the translated NS gateway IP?

    Are there any things I can do with Unified GW back at POD 1 which is the headquarters?

    Any help would be appreciated.

    1. It depends on what you want to do. One option is GSLB for both public and internal names, with dynamic or static proximity. Once a datacenter is chosen, use HDX Optimal Gateway to send the ICA traffic through a Gateway in the same datacenter as the VDA, or a Gateway that’s closest to the user, depending on which has better connectivity. You would need datacenter-specific DNS names for Optimal Gateway. For closest Gateway, regular GSLB proximity should work.

      But this design could require quite a bit of discussion, so it’s best if you work with a Citrix Partner or Citrix Consulting.

  7. Carl, I’m trying to set up a single FQDN, but I’m having some trouble. I have a small customer who has only one StoreFront box. For the internal DNS entry, is that supposed to be pointed at the NetScaler Gateway VIP? Or, is that supposed to be pointed directly to StoreFront? I have it pointed to the VIP currently, but the firewall is showing resets when trying to connect. Any help would be greatly appreciated.

    1. For Single FQDN, the internal name resolves to the StoreFront servers (load balancing VIP). External resolves to the public Gateway VIP. If you need Callback URL, then you need a separate DNS name. And the Internal Beacon cannot be the Single FQDN.

  8. Hi Carl,
    Could you explain more about you sentence “Citrix doesn’t support stretching a single StoreFront Server Group across a WAN link” What about in the case that we are using a high speed WAN link ?
    Thanks in advance

    1. Like a Metro Cluster? That’s probably OK.

      Otherwise you can call support to get their official support statement on your configuration.

  9. Dear Carl
    Could you exlain more your above sentence “doesnt support a single storefront group across a wan link” What in the case that we are using a high speed wan link?

  10. Hi Carl,

    I have configured with different port no 8445 VIP - in load balancing for two storefront servers(port 443) and configured browser policy for netscaler access gateway.

    When i am login with username and password for external access gateway URL. I am getting error page HTTP service is unavailable.

    Is it work with different port 8445 load balancing VIP( in browser policy.

  11. HI Carl,

    Can you please help me with a problem i’m having with my Storefront 3.6 Server firstly here’s my setup.

    Main Site – 2xDCs (load Balanced), 2xSFs (load Balanced), Multiple VDAs being used as Server OS all connecting via Netscaler. on this Site everything is working fine without any problems.

    Now I’m setting up a second site which is Geographically dispersed (in another State) – I created a second Zone .

    Sattelite Site – 1xDC, 1xSF, Mulitple VDAs also being used as Server OS all connecting via a Netscaler (they have their own internet connection).

    Now the problem i’m having is that I can logon fine to the Storefront Website address however I don’t get any Apps or Desktops and I noticed this error message
    in the logs.

    “An error occurred while attempting to connect to the server on port 80. Verify that the Citrix XML Service is running and is using the correct port.
    If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.”

    When I run a BrokerSerivce this is what I get.
    C:\Program Files\Citrix\Broker\Service>BrokerService.exe /show
    SDK Port: 80
    VDA Port: 80
    StoreFront Port: 80
    StoreFront TLS Port: 443
    Log File:

    I’ve checked the Delivery Group and there is a Desktop Published which I have access to I’ve even add my name in directly from AD.

    Any thoughts on what I’ve done wrong here.


    1. Any firewalls between StoreFront and Controller? Can you telnet from StoreFront to Controller?

      Any traffic inspection (e.g. IPS)?

      Any security software on the Controller that might be interfering?

  12. Dear Carl,

    our Storefront works now very well in combination with our double hop Netscaler and without CVPN.
    But have you got an idea to implement Storefront specially with CVPN (Clientless VPN) on an Unified Gateway configuration?
    I’m struggling around with the I-Frame error, Storefront is not accessible within the CVPN portal.

    Best Regards,


      1. Thanks Carl, yeah, that works, but the is quite buggy, I had many logout in the Admin GUI while configuring the portal theme. It seems, that I have to wait for the next release, and hope, that the “Known Bugs” would not grow again and again 🙂

  13. Dear Carl,
    I’m struggling a little bit with the authentication on my Citrix Receiver.
    We have 2-factor auth on the external Netscaler (UG, NS 11.0.66), 1st LDAP, 2nd Radius. The browser based authentication works fine, but the Citrix Receiver would like to have the input vice versa, that means password 1 is Radius, and password 2 is LDAP. Is there a requirement, that Radius needs to be the first option?

    Until NS 10.5, we had Radius as the 1st, and LDAP as the 2nd option, but we have changed the HTML code, so that the webpage shows LDAP as the first, and Radius as the 2nd option. This is due to the better user expierience, because Radius is a one time code and it is easier to enter first the LDAP password, and then the one time code (due to the lifetime of the code). With NS 11 we love to use the portal theme, but we had to changed the auth order. As I wrote before, web-based authentication works fine, but the receiver would like to use Radius 1st….

    This all came up, because we would like to move the productive system from Webinterface and 10.5 to Unified Gateway with Storefront. Within my tests I came to this point, where password1/2 gives us a little show stopper.

    Did it mean by the end of the day, that I need a different UG, where only Receiver traffic will arrive, and I can use Radius as the 1st, and LDAP as the 2nd option?

    Best Regards,


  14. Hi Carl,

    Great post thank you. I have built a PoC on Azure and looking for options to make the 2 regions highly available (Active/Active). Have you had any experience with deploying NetScalers between 2 Azure regions load balancing StoreFront servers at each location? I am stuck between using NetScaler vs. Azure Load Balancer vs. Application Gateway vs. Traffic Manager. Each has its own features and disadvantages and I was hoping you could share your past experiences.
    There’s not much out there !

    1. If you only care about StoreFront and aren’t worried about ICA traffic, then any load balancer will probably work. However, if there’s any NAT, then only NetScaler Gateway can handle the ICA traffic.

  15. Hi Carl,

    We’re having a difficult time getting Receiver for Android 3.9.x to work through Netscaler 11.1/Storefront 3.6 with XenApps 7.9 on the backend. The environment works fine for Receiver for Windows and within Android receiver, when you first add the site, the “Type” is set to “Storefront Web UI” and works fine, but I want it to work through the “Access Gateway” type instead. I keep getting “An error has occurred while connecting. Check your server address and data connection.”

    I’ve been working with citrix support for just over a week now without resolve. I originally built the test site using the wizard on the NS, but as one of the troubleshooting options, I was asked to rebuild the site on NS manually instead. So I did and the error persists.

    At one point, I had a CNAME redirecting to which support thought that might be an issue, so that is also removed. Error persisted.

    I should note that in iPhone or iPad, it works fine, as well as on Macs/Windows workstations. Just Android that’s driving me nuts! I gave Citrix support a test account for them to try on their Android device, they would get the same error.

    Android test: Samsung Note 5 running current os from Verizon.

    I’ve searched and reviewed all I could find on this issue to no avail. Any additional thoughts or experience you could share with me to help resolve this would be forever greatly appreciated.

    Richard M.

  16. I kept getting “http/1.1 Service unavailable” no matter how I configured the policies and the Unified Gateway.

    The Unified Gateway wizard (which I didn’t use for this customer implementation for configuration, I just copied the relevant parts manually) uses the expression “is_vpn_url” for the non-addressed NS GW in the content Switching policies. Apparently this had something to do with my problem, since when I changed the expression to “http.req.hostname.eq(“{myportalfqdn}”)”, it started working.

    Could I go wrong here with something else?

    I’m running NS 11.0 build 66.11.

    I also noticed I could leave the ICA Proxy ON and still use RDP Proxy on the same GW, with same session policy.

    I also have some challenges with publishing reverse proxy stuff via UGW (, but this doesn’t fit under the StoreFront topic.

    1. If you’re trying to access StoreFront, then change the CSW expression to: is_vpn_url || HTTP.REQ.URL.STARTSWITH("/Citrix")

  17. Carl, you state that ” Receiver for iOS will append /Citrix/Store/discovery to the Internal Beacon ” what about coming in through Netscaler Gateway 11 to Storefront 3.5? I am getting this:

    The address given did not provide a valid App list.


    1. If you look in the Receiver logs, does it detect your connection as OUTSIDE? If so, does your Gateway FQDN resolve to the Gateway VIP? Otherwise, make sure the session policies are configured correctly (Java instead of Windows/Mac OS X).

  18. Carl,

    I have not been able to get an answer from Citrix on this so I thought I would ask you.

    We have a pair of Netscalers on our DMZ that communicate back to our internal Storefront servers (2 running SF 3.5)

    Sometimes when users authenticate via the NetScaler and then get sent over to StoreFront to enumerate the applications the users will see an error of:

    ‘cannot start session. wait a few minutes and try to logon again. if you still experience problems, contact your help desk.’

    Then when they click ‘logoff’ they sometimes get:

    ‘Logoff error : If any apps are still running, please exit them manually. Please close your browser to log off.’

    I have verified the XML request are trusted, and on the netscaler Persistance is set on the service group for SSLSESSION.

    Have any idea of what it could be?

    1. When you say “NetScalers on DMZ”, do you mean NetScaler Gateway vServer?

      Are the DMZ NetScalers directly load balancing StoreFront? There’s no intermediary load balancing device?

      Best option for persistence is Cookie Insert, assuming no Androids. Otherwise, Source IP.

      What errors are you seeing in Event Viewer on StoreFront?

      Are you able to reproduce? If so, can you get a network trace?

      Are the browsers using any proxy server?

  19. Carl, do you know if it’s possible to have 2 NetScaler Gateway using the same Storefront?
    Scenario: 1 appliance, with 1 VS on port 8080 and another on 8443 (network restrictions). Added both of them to the Storefront 3.6. They are both showing on the “Configure Remote Access Settings”. If I launch an application, the ICA comes with the SSLProxyHost of the Netscaler on the top of the list (8080 in my case), even if the other is chosen as Default Appliance. It only works on 8443 if I deselect the NG on 8080 on that GUI.

    1. Are you using browser? If so, the default Gateway is chosesn.

      Are you using Recevier? If so, there’s a place to change the Gateway being used.

      Do you have HDX Optimal Gateway configured?

      In cases like this, I sometimes build separate StoreFront servers.

      Or maybe you found a bug.

      1. Using a browser, didn’t try the Receiver.
        HDX Optimal Gateway was not configured. I found out that configuring it allows me to set which is the SSLProxyHost indeed. Seems that the “Default Appliance” option is not being respected on 3.5 or 3.6 (I just upgraded to test, and still the same). Sounds like a bug to me…
        I guess I will create a second Store for that. Same servers just a different Store. Should do the trick…

  20. Hi Carl, I have a specific requirements and actual possibilities with SF and NS 11 makes me crazy.

    The status:
    – SF 3.6
    – XD 7.9
    – NS 11

    – SAML external auth as PRIMARY auth on vserver – the logon to external saml is with different
    – after passed SAML auth NS will forward user to SF without SSO
    – user will use AD LDAP auth to SF directly

    – within NS session policy disabled SSO
    – configured web.config file for STORE settings within SF to resourcesGateways requireTokenConsistency=”false”
    – when disabled SSO from Netscaler within Manage Authentication Methods it will remove NS GW from Store settings

    After this when I will try to authetnicate into SF there is looping error A request was sent to service that was detected as passing through a gateway. However no gateways are configured for this service…

    Do you have any advise?


  21. When using a single FQDN for both NetScaller 11 and StoreFront 3.6, I have notice that the Citrix Receiver must be fully exited after swiching from internal to external access (and vise versa). A log off and on does not work. Is this the normal behaviour or a misconfiguration somewhere?

  22. in step 9 of your optimal gateway config. The additional gateways you create have unique URL ex and are those supposed to resolve to anything specific?

    Yes, resolve to the Gateway VIP in the respective datacenter. The main Gateway FQDN is active/active so there’s no control over datacenter selection. GatewayHQ should resolve to the Gateway VIP in HQ. If HQ is down, then GSLB should failover the DNS name to the Gateway VIP in the other datacenter. The same applies to GatewayDR, except in reverse order.

    Carl I’m replying here to get some clarification.

    so if the gateway urls resolve to the VIPs at each datacenter what should the base URL resolve to?

    1. The Base URL is usually a GSLB-enabled DNS name. One DNS name that is load balanced across datacenters.

  23. in step 9 of your optimal gateway config. The additional gateways you create have unique URL ex and

    are those supposed to resolve to anything specific?

    1. Yes, resolve to the Gateway VIP in the respective datacenter. The main Gateway FQDN is active/active so there’s no control over datacenter selection. GatewayHQ should resolve to the Gateway VIP in HQ. If HQ is down, then GSLB should failover the DNS name to the Gateway VIP in the other datacenter. The same applies to GatewayDR, except in reverse order.

    1. The Gateway FQDNs? Receiver needs to resolve the FQDN to the Gateway that ICA traffic will flow through. And the Gateway certificate needs to match the DNS name.

  24. There’s two bugs with Storefront 3.5 that I’ve found.

    1. Possible management console failure when configuring Optimal HDX routing

    While using the StoreFront management console to configure Optimal HDX routing using a gateway that has been configured for HDX routing only, the management console might fail. [#624077]

    Work around:

    Configure a NetScaler Gateway with the Authentication and HDX routing usage type and provide default values for the authentication settings.
    Configure Optimal HDX routing using this new gateway.

    2. The netscaler storefront monitor fails on certain builds of netscaler (I’m currently using 10.5 56.22nc) I’ve seen some people workaround by using an https monitor or by upgrading to the latest netscaler build.

    I also have a question for you Carl.

    When setting up the gateways for HDX routing should we define the respected STA’s for that site? Also what should the URL’s for these resolve to if anything at all?

    Thank you for your time and effort with all this documentation and helping us with!

    1. 1. should be fixed in the next release.

      The only requirement for STA is that both StoreFront and NetScaler Gateway need to use the same STAs. There’s no relationship between STAs and farms.

  25. Hi Carl I configured SF 3.5 load balancing using the XD wizard in the Netscaler but am having trouble getting it to come up. The vserver is down and the service groups are effective state down. Both service group members probes are failing. I am using SSL / 443 and do having IIS binding to SSL cert. Wondering what could be the issue?

    1. If you go to Traffic Mgmt > LB > Monitors, is there a StoreFront monitor? If so, edit it and on the Special Parameters tab, uncheck the boxes.

        1. Quick update, in 3.5 ctirix documentation I removed the default service monitor and replaced it with one that uses HTTPs and port 443 (see powershell below), propagated SF, then in NS for the StoreFront monitor on the Special Parameters tab, I checked both boxes for “Storefront account service” and “Check backend services” and now the Service Group is effective state is partial-up. The SF server still down is one that is giving me a “cannot complete your request” message. So I am thinking once I figure that out I should be good. Your thoughts?

          # Import StoreFront API Modules
          & “$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1”
          $ServiceURL = “https://localhost:443/StorefrontMonitor”


          Install-DSServiceMonitorFeature -ServiceUrl $ServiceURL

          1. I wouldn’t be surprised if there’s a bug in 3.5. Usually unchecking the boxes fixes it.

            Is your Base URL = https? If so, did you enable loopback OnUsingHttp on your StoreFront servers?

            Make sure there’s no host header configured in your IIS bindings.

          2. Hi Carl, one of the SF servers was cloned so it corrupted IIS, therefore is why I was receiving the “cannot complete your request” message. After recreating the SF servers and then following same process of removing the default service monitor and replacing it with one that uses HTTPs and port 443 via powershell is again how I was able to get the Service Group in Netscaler working. The Base URL is https, OnUsingHttp is enabled on the SF servers, and there is no header configured in the IIS bindings.

  26. Hi Carl, your documentation has been extremely useful in our configuration. Thanks so much.

    I am running into one issue however trying to do Single FQDN. Whenever I set it up we get a ../cgi/setclient?wica endless loading page after authenticating to the NS. I’ve triple checked all the necessary parameters and am at a loss. We are using a NS 11.0 and XenApp 7.8 with just a single Storefront server (no Netscaler in front of it internally) and a wildcard certificate. Appreciate any insight you can provide, thanks!

    1. Have you tried setting the session policy to the StoreFront IP address instead of the FQDN?

      You can do a network trace on the NetScaler to see what’s happening. There’s a handy decrypt option during tracing.

      1. Strange – that worked briefly, but after I got one successful test done it just stopped working and hangs on wica again. I had previously verified the Netscaler could resolve the FQDN to the Storefront IP — is there another reason to put the IP in instead of the FQDN?

        Not sure about the specifics of what is going on but I see the following sequence repeated over and over in the packet trace:
        NS > SF – SYN
        SF > NS – SYN, ACK
        NS > SF – FIN, ACK
        SF > NS – RST, ACK

        Will keep digging, thank you.

  27. Hey Carl,

    Great post!!!

    Can you have a third-party IDP using SAML with the Netscaler, StoreFront, and XenDesktop 7.6->7.8? Since StoreFront doesn’t support SAML natively with XenDesktop, is there a way around this with Netscaler and a third-party IDP?

      1. In which case should be used “Authentication only” role in Add Netscaler Gateway Wizard?
        Could we do Authentication on Netscaler but tell Storefront do not route connection throuth Netscaler gateway when we logon on via browser?

        1. In StoreFront 3.5, there’s an HDX Optimal Routing page where you can select Direct for your farms. I haven’t tried the Direct option yet.

Leave a Reply