StoreFront Load Balancing

Last Modified: Sep 29, 2016 @ 9:05 am



Note: This is a Perl monitor, which uses the NSIP as the source IP.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it StoreFront or similar.
  4. Change the Type drop-down to STOREFRONT.
  5. If you will use SSL to communicate with the StoreFront servers, then scroll down, and check the box next to Secure.
  6. Scroll up, and switch to the Special Parameters tab.
  7. In the Store Name field, enter the name of your store (e.g. Store).
  8. The other two checkboxes are not working with StoreFront 2.6. Click Create.

    add lb monitor StoreFront STOREFRONT -scriptName -dispatcherIP -dispatcherPort 3013 -secure YES -storename Store


  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding StoreFront servers.

    add server SF01
    add server SF02

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.

  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure that StoreFront Monitor has Secure checked.
  5. Scroll down and click OK.
  6. On the right, under Advanced, click Members.
  7. Click where it says No Service Group Member.
  8. If you did not create server objects, then enter the IP address of a StoreFront Server. If you previously created a server object then change the selection to Server Based and select the server objects.
  9. Enter 80 or 443 as the port. Then click Create.

  10. To add more members, click where it says 1 Service Group Member and then click Add. Click Close when done.

  11. On the right, under Advanced, click Monitors.
  12. Click where it says No Service Group to Monitor Binding.
  13. Click the arrow next to Click to select.
  14. Select your StoreFront monitor, and click OK.
  15. Then click Bind.
  16. To verify that the monitor is working, on the left, in the Service Group Members section, click the Service Group Members line.
  17. Highlight a member, and click Monitor Details.
  18. The Last Reponse should be Success – Probe succeeded. Click Close twice.
  19. On the right, under Advanced, click Settings.
  20. Check the box for Client IP and enter X-Forwarded-For as the Header. Then click OK.
  21. Then click Done.

    add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For
    bind serviceGroup svcgrp-StoreFront-SSL SF01 443
    bind serviceGroup svcgrp-StoreFront-SSL SF02 443
    bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
  22. If the Service Group is http and you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to enable loopback in StoreFront:
    1. In StoreFront 3.5, you enable it in the GUI console.
    2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.0.
      & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
      Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the SSL Offload Virtual Server. This certificate must match the DNS name for the load balanced StoreFront servers. For email discovery in Citrix Receiver, the certificate must either be a wildcard (*.corp.local) or have a subject alternative name for ( = email address suffix)
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  3. On the right click Add.
  4. Name it lbvip-StoreFront-SSL or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.

    add lb vserver lbvip-StoreFront-SSL SSL 443 -persistenceType SOURCEIP -timeout 60
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  10. Click the arrow next to Click to select.
  11. Select your StoreFront Service Group, and click OK.
  12. Click Bind.

    bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL
  13. Click OK.
  14. Click where it says No Server Certificate.
  15. Click the arrow next to Click to select.
  16. Select the certificate for this StoreFront Load Balancing Virtual Server, and click OK.
  17. Click Bind.

    bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom
  18. On the right, in the Advanced column, click Persistence.
  19. On the left, in the Persistence section, select SOURCEIP.  Do NOT use COOKIEINSERT persistence or Android devices will not function correctly.
  20. Set the timeout to match the timeout of Receiver for Web.
  21. The IPv4 Netmask should default to 32 bits.
  22. Click OK.
  23. On the right, in the Advanced column, click SSL Parameters.
  24. If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload), at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web page will never display.
  25. Uncheck the box next to SSLv3.
    set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED
  26. NetScaler VPX 10.5 build 57 and newer lets you enable TLSv11 and TLSv12. Click OK.
  27. Perform other normal SSL vServer configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.
    bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert
    set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
    unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL
    bind ssl vserver lbvip-StoreFront-SSL -cipherName Modern
    bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL
    bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE
  28. Then click Done.

SSL Redirect – Down vServer Method

If you created an SSL Offload Virtual Server that only listens on SSL 443, users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP that listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443.

This procedure details the Down vServer method of performing an SSL redirect. An alternative is to use the Responder method.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right, find the SSL Virtual Server you’ve already created, right-click it, and click Add. Doing it this way copies some of the data from the already created Virtual Server.
  3. Change the name to indicate that this new Virtual Server is an SSL Redirect.
  4. Change the Protocol to HTTP on Port 80.
  5. The IP Address should already be filled in. It must match the original SSL Virtual Server.
  6. Click OK.
  7. Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
  8. On the right, in the Advanced column, click Protection.
  9. In the Redirect URL field, enter the full URL including https://. For example: Click OK.
  10. Click Done.

    add lb vserver lbvip-storefront-HTTP-SSLRedirect HTTP 80 -redirectURL ""
  11. When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for the redirect to work.

StoreFront Base URL

  1. Create a DNS Host record that resolves to the new VIP.
  2. The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler Gateway. Unless you are following the Single FQDN procedure.

  3. In the Citrix StoreFront console, right-click Server Group and click Change Base URL.
  4. Enter the new Base URL in format. This must match the certificate that is installed on the load balancer. Click OK.

Subscription Replication Load Balancing

If you have multiple StoreFront clusters (separate datacenters), you might want to replicate subscriptions between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this service, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at Citrix Docs for more information.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.

  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SubRepl).
  4. Change the Protocol to TCP.
  5. Scroll down and click OK.
  6. On the right, under Advanced, click Members.
  7. Click where it says No Service Group Member.
  8. In the IP Address field, enter the IP address of a back-end StoreFront server.
  9. Enter 808 as the port. Then click Create.

  10. To add more members,  on the left, in the Service Group Members section, click where it says 1 Service Group Member.
  11. Click Add to add a member. Click Close when done.
  12. On the right, under Advanced, click Monitors.
  13. Click where it says No Service Group to Monitor Binding.
  14. Click the arrow next to Click to select.
  15. Select the tcp monitor, and click OK.
  16. Then click Bind, and click Done.

    add serviceGroup svcgrp-StoreFront-FavRepl TCP
    bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808
    bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808
  17. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  18. On the right click Add.
  19. Name it lbvip-StoreFront-SubRepl or similar.
  20. Change the Protocol to TCP.
  21. Specify the same VIP that you used for SSL Load Balancing of StoreFront.
  22. Enter 808 as the Port.
  23. Click Continue.
  24. Click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  25. Click the arrow next to Click to select.
  26. Select your StoreFront Subscription Replication Service Group, and click OK.
  27. Click Bind.
  28. Click OK.
  29. On the right, in the Advanced column, click Persistence.
  30. Select SOURCEIP persistence.
  31. Set the timeout to 5 minutes.
  32. The IPv4 Netmask should default to 32 bits.
  33. Click OK.
  34. Then click Done.

    add lb vserver lbvip-StoreFront-FavRepl TCP 808 -persistenceType SOURCEIP -timeout 5
    bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl

Related Posts

37 thoughts on “StoreFront Load Balancing”

  1. Hi Carl , great one again !!

    Quick question, in my environement seems that the Monitor is using the SNIP… but I dont know why but the monitor is indicating “Failure probe failed…”

    Any Ideas ? thx

    1. StoreFront monitor? If so, it’s definitely using NSIP. Since NSIP doesn’t have a route to the server, it’s going through the SNIP, but the replies are going back to the NSIP. You might have to switch to a HTTP monitor. Or, implement RNAT.

  2. Just only worries me for the case that one storefront takes more load than other and there is an impact in production environment. And also i wonder if this timeout difference could be the root cause of occasional error message “cannot complete your request ” .
    Thanks again

  3. Hi Carl I would like to share with you the results of my lab experiment related with low value sourceip persistence timeout for instance 2min and RFWeb session timeout to 1 h.
    I found out that under circumanstances can cause “cannot complete your request error” because of usage CsrfToken. which is session expired coockie. Could be that case ?
    Is there any other way to avoid this issue except to increase the sourceip persistence timeout greater than or equal to RFWeb session timeout ?

    Thanks in advance.

  4. Sorry , thought I would try and clarify in more detail.

    I have external users and internal users

    My Required Time out scenario

    Sign in Time Out 2min
    Session sign out 8 hours

    Internal Users
    Sign out Timeout 8 hours
    Session Time out 8 Hours

    For internal users I am using a load balanced storefront (vrs 3.6) on netscaler (vrs11.1)

    External users connect to via the gateway to the same storefront LB Vip

    Would you be able to point me in the right direction

    Thank you

    1. When you say “Sign In Time Out”, do you mean StoreFront webpage timeout?

      NetScaler Gateway has timeouts in the session profile/policy that you can try adjusting.

      Otherwise, I think the timeout is global to the store so you might have to build separate StoreFront servers for internal and external.

      1. Hi

        Thank you for your reply , yes I am talking about the storefront web page sign in time out.I can not see a way around it unless as you mentioned build additional storefront storefront servers, that is a now go

        Once again thank you for your reply and helping everybody.

        Kind Regards


  5. Hi Carl , I have a situation whereby my external users need a timeout lets say 2min and my internal users connect via load balanced storefront no time. The question is how do I sent my external users timeout values that they do not affect the internal users. Are all the settings done via netscaler. Storefront 3.6 Netscaler

  6. Is it possible/difficult to customize the Storefront Monitor Perl script to use a SubNetIP (SNIP) instead of the NSIP as source address of the check?
    In our setup, we will run into routing trouble (anti-spoof filters) when using the NSIP: the StoreFront servers are in the same subnet as the backend interface of the Netscaler. The NSIP is in the Management subnet. So the StoreFront servers will route the return traffic to their configured (default) gateway and will be dropped by the anti-spoof rules.
    So I want to ensure that the Backend SNIP is used as source for the monitoring part…

    Great article and it helped me a lot in understanding!

  7. Hi Carl,

    How to setup persistence for Netscaler Virtual server without using load-balancing? I removed few storefront servers from manage members under services for an activity but NS still re-directs connection to those servers though I disabled them under manage members

      1. Yes after that it worked. But when i faked it by disabling server from manage servers it still goes to that server. My understanding is it should not route connection unless it’s up

        1. I meant when you disabled the service, did you check the box for Graceful? If so, persistent is honored. If not, persistence is ignored.

  8. Hi Carl,

    I have a weird issue with load balancing, or might be not.
    I configured LB with HTTP redirect and everything works fine with one minor issue.
    When internal user goes to URL he receives default IIS web page. If user refreshes the page immediately it redirects him to It is happening in IE only for internal users. Also I noticed that this is happening randomly, some users redirected to https without any issues. Also no issues with accessing – I am redirected to as expected.

    What is configured:
    – Netscaler 11.0
    – 2 StoreFront 3.5 servers in Server Group, propagated changes. Base URL Also web.config copied and it contains redirect enabled to
    – Internal DNS record is pointing to Virtual Server Load Balancing SSL (Service group with 2 members)
    – HTTP redirect is configured for the same IP with NO members
    – Both Virtual Servers have redirected URL pointing to

    So I cannot understand why IIS returns the default page. Looks like it is IIS issue, but if I go to http://SF01 or http://SF01 it redirects me to straight away.

    Do you think it’s IIS or just Netscaler/Storefront not configured properly?
    Thank you.

    1. http is pointing to a VIP on the NetScaler. If no services are bound to the port 80 VIP then it’s impossible to see the IIS default page.

      Do you have a proxy server? Maybe the proxy cached a prior configuration? Or your browser’s cache needs to be cleared.

      You can use your browser’s F12 tools > network tab to see what’s happening.

      1. Hi Carl, thank you for reply. You gave me a great hint about cache on proxy, as I tried to clear browser cache and that didn’t help. Today issue just disappeared and everyone is redirected to the correct URL, so I believe it was proxy cache, will talk to networking team later today.

        Thank you for all your articles, for your blog and for your replies in Citrix support forum. It is very, very useful and helpful. You are the best! Thank you!

  9. Hi Carl,

    I’m facing issues when trying to authenticate with user certificate. I think I have the NetScaler part configured properly, but for some reason the SSO to StoreFront fails. We’re using NS 11.64.34 and SF 3.5.

    We’re using UPN as the login attribute and verified that it works if we’re not using the CERT auth. The Cert auth seems to be working just fine when I log in to the NetScaler but the StoreFront SSO responds “Cannot complete your request.” to browser and event IDs 3, 8 and 10 are logged in StoreFront.

    The event ID 10 contains the following:

    The remote server returned an error: (403) Forbidden.
    ExceptionStatus: ProtocolError
    ResponseStatus: Forbidden”

    We’ve also noticed that if I try to reach the store URL with or without the NS LB layer with the proper name:

    The connection is reset by the IIS for some reason (I traced this with NetScaler capture). However if I change the URL for the host name:

    I get a certifcate mismatch error but if I select to continue, the server returns my certificate information properly.

    Our internal CA is issuing sha1 certificates and we have tried to disable the TLS1.2 on both NS Gateway and StoreFront LB without any success.

    Any ideas?

    1. Do you have callback configured? Does the callback Gateway have client certificates set to Mandatory? If so then you’ll need a separate Callback Gateway that doesn’t have client certs as Mandatory.

      1. Hi, that was exactly the issue. My colleague created a separate GW which resolved the issue. The additional “dummy GW” doesn’t need to be reachable from the external networks so that shouldn’t be a big issue.

      2. One more question 🙂

        In the Citrix article it is stated that the /Authentication/Certificate/test.aspx should be available when using the store base url (whether it’s on LB or a DNS alias). I can only connect to the test.aspx with the server name as I described in my original posts.

        Any insights on this specific matter?

        ps. great blogs and articles, keep up the awesome job!

  10. Hi Carl,

    If you have a NetScaler HA pair in both the DMZ and on the internal LAN, and you want to integrate these with the same StoreFront store, how would you suggest to configure the StoreFront base URL?

    For example, if you want the StoreFront load balanced URL to be; would you add a load balanced virtual server on both NetScaler pairs with a LAN IP (for example 10.x.x.x) which resolves to in the DNS? Or would you only configure the VIP on one of the NetScaler pairs, and on the other NetScaler pair add a vserver with an internal 192.168.x.x IP, and then add a DNS A-host to that NetScaler which resolves to the 10.x.x.x VIP added on the other NetScaler pair? And finally, editing the HOSTS files on the two StoreFront servers adding each servers own IP-address resolving it to

    My Netscaler Gateway in the DMZ is accessed on a different URL than the NetScaler Gateway on the internal NetScalers, and I will obviously configure these when adding the NetScaler Gateway appliances.




    1. I usually do load balancing on the internal NetScalers and then configure NetScaler Gateway in the DMZ to connect to the internal load balancer. They can be different DNS names.

  11. Hi Carl

    Is there any specific reason for using X-Forwarded-For?
    Can I use cookie insert and not use X-Forwarded-For? Clients are connecting from the same site behind PAT. If I set to source IP will they all go to one StoreFront server?


  12. Hello Carl, I ran into an issue when load-balancing StoreFront on the 10.5+ NetScaler where you could ping the VIP and even telnet to port 443 successfully, but the StoreFront webpage would just spin and never resolve. It turns out that you need to use the Protocol SSL-Bridged instead of SSL for the Services and the vServer. This fixed the problem.

    1. The problem with SSL_BRIDGE is you can’t insert X-Forwarded-For. If 10.5 build 59, it could be a chiper problem on the services.

  13. Hi Carl

    Sorry for my terrible English

    I followed the steps in the article to set the LB, everything works ok when I use the browser to connect.

    But, when I use the Citrix Receiver client, I get the following error:

    “Your apps are not available at this Time Please try again in a few minutes or contact your helpdesk With information: An error occurred while contacting Store.”

    If I configure Citrix Receiver to directly attack to one of the storefront, everything works, but when I try to attack the VIP, no.

    I’m running Storefront 2.6, Netscaler VPX 10.5 55.8,nc and Citrix Receiver 4.1 and 4.2.

    Any suggestions?

    Thank you very much.

    1. This usually means Persistence is not setup correctly. It needs to be Source IP with a timeout of 60 minutes or longer. Or maybe the Base URL was not configured correctly on the StoreFront servers. Try posting your question to where further troubleshooting can be performed.

  14. Hi Carl,

    I’ve seen your posts on the Citrix Forums and I’m getting a lot of nice information from you write-ups here. Great site!

    Wondering if you might be able to point me in a direction to investigate why my Storefront Service Group is showing down. I followed your instructions here, except for creating the server, as it already exits for the LDAPS monitor on that server that is reporting up.

    I tried checking and unchecking the boxes for Storefront Account Service and Check Backend Services and still not getting green light.

    I am running Storefront 2.6


    1. Are you saying that LDAPS and StoreFront are the same server? Does that mean you have StoreFront installed on a Domain Controller? I never do that.

Leave a Reply