StoreFront 3.5 through 3.16 – Basic Configuration

Last Modified: Oct 16, 2018 @ 7:43 am

Navigation

This article applies to StoreFront versions 3.16, 3.12.2000, and all other versions 3.5 and newer.

💡 = Recently Updated

Change Log

StoreFront Versions

The most recent StoreFront Current Release is version 3.16. Current Releases are only supported for 6 months from release date and are expected to be upgraded every 3-6 months.

The most recent StoreFront Long Term Service Release (LTSR) is version 3.12.2000. LTSR versions are supported for 5 years from release date. Cumulative Updates are released periodically.

StoreFront Installation / Upgrade

The Citrix Virtual Apps and Desktops Delivery Controller Metainstaller has an option for installing StoreFront on the Delivery Controller machine. Or you can install StoreFront on separate dedicated servers.

  • If StoreFront will pull icons from multiple Citrix Virtual Apps and Desktops sites/farms, then StoreFront should be installed on its own machines.
  • For small environments, it might be OK to install StoreFront on the Delivery Controller machines. But usually they are separate machines.

To automate the installation of StoreFront, see Dennis Span Citrix StoreFront unattended installation with PowerShell.

Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB RAM.

  1. If upgrading, do the following before beginning the upgrade:
    1. Other Users – Use Task Manager > Users tab to logoff any other user currently logged into the machine.
    2. Export the StoreFront configuration so you can restore it if something goes wrong.
    3. Stop the World Wide Web Publishing Service.
    4. Stop all StoreFront services.
    5. Close all PowerShell and StoreFront consoles.
    6. Citrix CTX226419 StoreFront upgrade fails to keep the setting in default ICA file. Take a backup of default.ica and usernamepassword.tfrm from C:\inetpub\wwwroot\Citrix\StoreName\App_Data. After upgrading StoreFront, replace the new default.ica and usernamepassword.tfrm with the old default.ica and usernamepassword.tfrm files to ensure you retain the old settings.
    7. If the Citrix SCOM Agent for StoreFront is installed, stop the Citrix MPSF Agent service. Citrix CTX220935 Cannot Perform a StoreFront Upgrade if Citrix SCOM Management Pack Agent Service is Running.
    8. If SCOM Agent is installed, stop the Microsoft Monitoring Agent service.
    9. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix StoreFront 3.5
  2. Note: StoreFront 3.16 is not supported on anything older than Windows Server 2012 R2.
  3. Go to the downloaded Citrix StoreFront, and run CitrixStoreFront-x64.exe.

    1. You can find the standalone StoreFront installer on the Citrix Virtual Apps and Desktops ISO under the \x64\StoreFront folder.
    2. Or you can install StoreFront from the Citrix Virtual Apps and Desktops ISO by running AutoSelect.exe.
    3. It’s on the bottom left of the splash screen.

  4. If installing from the standalone installer, in the License Agreement page, check the box next to I accept the terms, and click Next.
  5. In the Review prerequisites page, click Next.
  6. In the Ready to install page, click Install.
  7. In the Successfully installed StoreFront page, click Finish.

If this is a new install, skip to the Initial Configuration.

After upgrading from StoreFront 2.6 or older, do the following to enable the Receiver X1 theme:

  1. In the StoreFront Console, on the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Receiver Experience page select Disable classic experience.
  5. Once classic experience is disabled, you can now make changes on the Customize Appearance and Featured App Groups pages. Click OK and Close when done.

  6. Go to Stores. In the middle, right-click your Store, and click Configure Unified Experience.
  7. Check the box next to Set the unified Receiver experience as the default for this store, and click OK.
  8. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

If you are upgrading to StoreFront 3.9 or newer, do the following to add SAML Authentication as an option. This feature lets you perform SAML against StoreFront without needing NetScaler Gateway. If you did a fresh deployment of 3.9 or newer, then SAML is already added.

  1. Right-click your Store, and click Manage Authentication Methods.
  2. On the bottom, click the Advanced button, and click Install or uninstall authentication methods.
  3. Check the box next to SAML Authentication, and click OK.
  4. If you don’t want to configure SAML at this time, then uncheck the authentication method. See the Federated Authentication Service article for SAML details.

Initial Configuration

In StoreFront 3.8 and newer, you can create multiple stores in different IIS websites. This functionality is not exposed in the GUI and instead the entire StoreFront configuration must be performed using PowerShell. See Citrix Blog Post StoreFront 3.8 is Available NOW! for sample PowerShell commands to create the stores.

You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a Store via Powershell.

If this is a new deployment of StoreFront, do the following to perform the initial configuration:

  1. In PowerShell, run Set-ExecutionPolicy RemoteSigned.
  2. The management console should launch automatically. If not, launch Citrix StoreFront from the Start Menu.
  3. In the middle, click Create a new deployment.
  4. In the Base URL page, if you installed an SSL certificate on the StoreFront server, then the Hostname should already be filled in. For now, you can leave it set to the server name and then change it later once you setup SSL and load balancing. Click Next.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL path.
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Change the Type to XenDesktop.
  11. Add the two Delivery Controllers. Change the Transport Type to HTTP. Click OK.
  12. If you have multiple Citrix Virtual Apps and Desktops sites/farms, feel free to add them now. Or you can add older XenApp farms. (If StoreFront 3.5, don’t put spaces or periods in the farm name) Click Next when done.
  13. In the Remote Access page, don’t check the box, and click Next. You can set this up later.
  14. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway. Click Next. Note: if you want Domain pass-through for browser users, you also need to enable it for Receiver for Web as detailed later in this topic.
  15. In the XenApp Services URL page, click Create.
  16. In the Summary page, click Finish.

Second StoreFront Server

After the server group is created, NT SERVICE\CitrixConfigurationReplication and NT SERVICE\CitrixClusterService must remain in the Administrators group on both StoreFront servers or propagation will fail.

  1. Install StoreFront on the second server.
  2. Create/Import the SSL certificate, and bind it to the Default Web Site.
  3. Login to the first StoreFront server. In the StoreFront management console, right-click Server Group, and click Add Server.
  4. Copy the Authorization code. Note: the Please wait message means it is waiting on you to add the 2nd server. You don’t actually have to wait.
  5. Login to the second StoreFront server and launch the management console. In the middle, click Join existing server group.
  6. In the Join Server Group page, enter the name of the first StoreFront server and enter the Authorization code copied earlier. Click Join.
  7. Then click OK.
  8. Go back to the first server. Click OK.
  9. Notice this message. It is good advice.
  10. All changes made on one StoreFront server must be manually propagated to the other StoreFront server. You do that by right-clicking Server Group, and clicking Propagate Changes.
  11. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Customer Experience Improvement Program

StoreFront 3.9 and newer enable Customer Experience Improvement Program (CEIP) by default. To disable it, create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD) and set it to 0 (zero). Also see CEIP at Install, set up, upgrade, and uninstall at Citrix Docs.

See https://www.carlstalhood.com/delivery-controller-1808-ltsr-and-licensing/#ceip for additional places where CEIP is enabled.

Store Name – Rename

If you installed StoreFront on your Delivery Controller, it will have a default store named Store. If you don’t like the default Store Name (/Citrix/Store) then you will need to remove the store and re-add it.

Note: Some at Citrix Discussions (A protocol error occured while communicating with the Authentication Service) have reported authentication issues after following this procedure. It’s probably cleaner to uninstall StoreFront and reinstall it.

  1. In the StoreFront console, on the left, click Stores.
  2. Right-click your store, and click Remove Store.
  3. Click Yes.
  4. On the left, right-click Stores, and click Create Store.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL path.
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the Citrix Virtual Apps and Desktops farm. This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Change the Type to XenDesktop.
  11. Add the two Delivery Controllers.
  12. Change the Transport Type to HTTP. Click OK.
  13. If you have multiple Citrix Virtual Apps and Desktops farms, feel free to add them now. Or you can add older XenApp farms. (If StoreFront 3.5, don’t put spaces or periods in the farm name) Or later, you can add farms in Store > Manage Delivery Controllers. Click Next when done.
  14. In the Remote Access page, don’t check the box and click Next. You can set this up later.
  15. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway. Click Next.
  16. In the XenApp Services URL page, click Create.
  17. In the Created Successfully page, click Finish.

SSL Certificate

StoreFront requires SSL. You will save yourself much heartache if you install valid, trusted certificates. There are two options for StoreFront SSL.

  • SSL Offload: Use NetScaler to do SSL Offload and load balancing. In this scenario, install the SSL certificate on the load balancer. You can leave the StoreFront servers listening on HTTP and no IIS server certificate. The SSL certificate on the NetScaler must match the DNS name that resolves to the load balancing VIP.
  • SSL End-to-end: Install an SSL certificate on each StoreFront server and bind to IIS. This allows you to use SSL protocol between the load balancer and the StoreFront servers.

If your load balancer cannot terminate SSL, then the StoreFront IIS certificate must match the DNS name that resolves to the load balancing VIP.

For load balancers that can terminate SSL (e.g. NetScaler), the StoreFront IIS server certificate should match the StoreFront server name. If StoreFront is installed on the Delivery Controllers, with server-specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration.

Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS name and each of the StoreFront server FQDNs. Then import this one certificate on all StoreFront servers. Or a wildcard certificate could match all of these names.

In either case, be aware that Email-based discovery in Citrix Receiver requires the certificate to not only match the StoreFront load balanced DNS name but the certificate must also match discoverReceiver.email.suffix for every email domain. Usually the only option to match multiple email domains is with Subject Alternative Names. If you have multiple email suffixes then you will need multiple Subject Alternative Names, each beginning with discoverReceiver. If you don’t plan on implementing email-based discovery, then you don’t have to worry about these discoverReceiver Subject Alternative Names.

If the certificate does not match discoverReceiver.email.suffix, then users will see this message when attempting to use email discovery in Citrix Receiver.

When adding Subject Alternative Names to a certificate, the first Subject Alternative Name should be the same as the Load Balancing FQDN. The remaining Subject Alternative Names should be discoverReceiver.email.suffix for every email domain.

When you view a Subject Alternative Name certificate, on the Details tab, click Subject Alternative Name to verify that all names are listed, including the DNS name that resolves to the load balancing VIP.

There are several methods of creating a certificate for StoreFront.

  • If you are implementing Single FQDN for internal and external users, then the certificate for external NetScaler Gateway can also be used for internal StoreFront. Note: Single FQDN has additional Subject Alternative Name certificate requirements including: Internal Beacon FQDN and Callback FQDN.
  • If you will support non-domain-joined machines (e.g. iPads, thin clients) connecting to your internal StoreFront, then the StoreFront certificate should be signed by a public Certificate Authority. You can use IIS to request the certificate. You can then export the certificate from IIS and import it to NetScaler (for Load Balancing and NetScaler Gateway). Public Certificate Authorities (e.g. GoDaddy, Digicert, etc.) let you enter additional Subject Alternative Names when you purchase the certificate.

  • If all internal machines are domain-joined, then you can use an internal Certificate Authority to create the StoreFront certificate. The Certificates MMC snap-in can be used to create an internal certificate signed by a Microsoft Certificate Authority. The MMC method allows you to specify Subject Alternative Names.

Once the certificate is created or imported, you need to bind it to IIS:

  1. In IIS Manager, right-click the Default Web Site, and click Edit Bindings.
  2. Click Add.
  3. Change the Type to https, and select the SSL certificate. Do NOT put anything in the Host name field. Click OK, and then click Close.

Delivery Controllers – SSL

Delivery Controllers can be SSL enabled by using one of two methods:

Once SSL certificates are installed on the Delivery Controller servers, then you can configure the Store to use SSL when communicating with the Delivery Controllers.

  1. In the StoreFront Console, on the left click Stores.
  2. In the middle, right-click your store, and click Manage Delivery Controllers.
  3. Highlight the deployment and click Edit.
  4. The Servers list must contain FQDNs that match the certificates installed on those servers.
  5. Change the Transport type to HTTPS.
  6. Click OK twice.

Socket Pooling

Socket pooling is disabled by default in stores. When socket pooling is enabled, StoreFront maintains a pool of sockets, rather than creating a socket each time one is needed and returning it to the operating system when the connection is closed. Enabling socket pooling enhances performance, particularly for Secure Sockets Layer (SSL) connections. To enable socket pooling:

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Configure Store Settings.
  3. On the Advanced Settings page, check the box for Enable socket pooling.

HOSTS File

Edit the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) on each StoreFront server with the following entries:

  • StoreFront Load Balancing FQDN (e.g. storefront.corp.com) = Load Balancing VIP in the local datacenter.
  • NetScaler Gateway Callback FQDN (e.g. callback.corp.com) = NetScaler Gateway VIP in the local datacenter.

Base URL – Change

  1. Configure load balancing of the StoreFront servers, including SSL certificate.
  2. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
  3. Enter the StoreFront Load Balancing FQDN as the new Base URL in https://storefront.corp.com format. Note: Receiver requires that the Base URL is https. It won’t accept http. Click OK.
    Note: if you want the StoreFront Base URL to be the same as your Gateway FQDN, then see the Single FQDN instructions.

If the Base URL is https, but you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to do the following:

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Advanced Settings page, change Enable loopback communication to OnUsingHttp. Click OK, and then click Close.

Default Web Page

After changing the Base URL, you’ll need to update the IIS Default Website.

  1. On the left, right-click Stores, and click Set Default Website.
  2. Check the box next to Set a Receiver for Web site as the default page in IIS, and click OK.
  3. Click Yes to overwrite.
  4. If you go to C:\inetpub\wwwroot and edit the file web.config, you’ll see the redirect.

Authentication Configuration

  1. In the Citrix StoreFront console, on the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Authentication Methods.
  3. Check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway.
  4. If you intend to enable pass-through authentication from Receiver Self-Service or from Receiver for Web, go to a Delivery Controller, and run the command
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command prompt. Run asnp citrix.* first. In XenApp 6.5, this is a Citrix Policy > Computer > Trust XML Requests.
  5. Click the top gear icon, and then click Configure Trusted Domains.
  6. Select Trusted domains only, click Add, and enter the domain names in DNS format. The DNS suffix is needed if doing userPrincipalName authentication from NetScaler Gateway.
    1. Also see CTX223551 Log on delay when user is not in the same domain as Storefront Server for RPC firewall rules.
  7. Select one of the domains as the default.
  8. If desired, check the box next to Show domains list in logon page. Click OK.
  9. Click the top gear icon, and then click Manage Password Options.
  10. Make your selection, and click OK.
  11. Be careful with password changes. Any time somebody changes their password through StoreFront, a profile will be created for that user on the StoreFront server. Use a tool like delprof2.exe to periodically delete these local profiles.
  12. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete local profiles.
  13. If you have Citrix Virtual Apps and Desktops Platinum Edition or Premium Edition and installed Self-Service Password Reset, you can integrate SSPR with StoreFront 3.7 or newer by clicking the top gear icon and clicking Configure Account Self-Service. This option is only available if your Base URL is https (encrypted). See the following for detailed implementation guides.
  14. Change the selection to Citrix SSPR, and click Configure.
  15. Check both boxes and enter the URL of the SSPR server using the displayed example (with /MPMService on the end). Click OK three times.
  16. With SSPR enabled, a new Tasks tab lets users enroll with SSPR.
  17. The logon page also has an Account Self-Service link.

  18. If StoreFront is not in the same domain (or trusted domain) as the users, then you can configure StoreFront to delegate authentication to the Delivery Controllers. See XML service-based authentication at Citrix Docs. Note: StoreFront 3.6 and newer can be workgroup members without joining a domain.

Citrix Online (3.11 and older)

This is only configurable in StoreFront 3.5 through 3.11. This feature was removed from StoreFront 3.12.

  1. StoreFront might be configured to add the Citrix Online icons. To remove them, on the left, click the Stores node.
  2. In the middle, right-click your store, and click Configure Store Settings.
  3. On the Citrix Online Integration page, uncheck all three boxes, and click OK. Note: This page is not available in StoreFront 3.12.

Unified Receiver Experience

If you did a clean install of StoreFront 3.5 or newer, then the newer UI will already be enabled, but Unified Experience might not be. If you upgraded from a StoreFront 2.6 or older, then you can disable the Classic UI to enable the newer UI.

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Receiver Experience page, select Disable classic experience. Click OK, and click Close.
  5. On the left, click Stores. In the middle, right-click your store, and click Configure Unified Experience.
  6. Check the box next to Set the unified Receiver experience as the default for this store and click OK.

Customize Receiver Appearance

If the Unified Receiver appearance is enabled, you can go to Stores > Manage Receiver for Web Sites > Configure > Customize Appearance to change logos and colors. Additional customization can be performed using the SDK.

You can also Manage Featured App Groups.

These Featured App Groups are displayed at the top of the Apps > All page.

By default, Featured App Groups are displayed with continual horizontal scrolling. This is OK if you have several Featured App Groups but doesn’t look right if you only have one Featured App Group.

Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling.

If you want to display more than 3 apps per group, see  Michael Bednarek at Modify Receiver for Web site at Citrix Discussions.

Receiver for Web Pass-through Authentication

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Authentication Methods page, if desired, check the box next to Domain pass-through. Click OK.
  5. If the StoreFront URL is in the browser’s Local Intranet zone, then you’ll see a prompt to automatically Log On. This only appears once.

Workspace app for HTML5 1809

Workspace app for HTML5 is the new name for Receiver for HTML5.

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Deploy Citrix Receiver page, change the drop-down to Use Receiver for HTML5 if local Receiver is unavailable.
  5. By default, the HTML5 session opens in a new tab. You can optionally enable Launch applications in the same tab as Receiver for Web. See Configure Citrix Receiver for HTML5 use of browser tabs at Citrix Docs for more information.
  6. Click OK, and then click Close.
  7. Download the Workspace app 1809.1 for HTML5 (version 18.9.1.4047). Version 18.9.1 is newer than version 18.9.0. Note: new versions of Workspace app for HTML5 are released every 2 weeks.
  8. Install the HTML5 Workspace app (CitrixHTML5Client-x64.exe) on one of the StoreFront servers. It installs silently. When you Propagate Changes in StoreFront console, the Workspace app for HTML5 will be copied to the other StoreFront servers.

  9. To see the installed version of HTML5 Workspace app, in StoreFront console, click the Stores node on the left.
  10. In the middle pane, in the bottom half, switch to the Receiver for Web Sites tab. You might have to click Refresh to see the new version.
  11. HTML5 Receiver 2.6.5 adds a multi-monitor feature, which is enabled by default.
  12. To configure HTML5 Receiver, edit the file “C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js”.

    1. Customer Experience Improvement Program (CEIP) is enabled by default. To disable it, search for the ceip section, and change it to false.
  13. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
  14. For VDA 7.15 and older, optionally, install Citrix PDF Printer on the VDAs. The PDF printer is in the Additional Components section of the HTML5 Receiver download page. This PDF printer is only used with Receiver for HTML5, and not with regular Receiver. Note: in VDA 7.16 and newer, the PDF Printer is included with the VDA installation and no longer needs to be installed separately.
  15. Note: as of Receiver for HTML 2.0, it’s no longer necessary to install App Switcher on the VDAs.

Other HTML5 Receiver configurations you can change by either editing C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js, or use the Citrix Workspace app (earlier known as Citrix Receiver) for Chrome and HTML5 – Configuration Utility downloadable from CTX229141.

  • HTML5 Receiver 2.6.4 improves PDF printing in Chrome and Firefox. Enable it by setting supportedBrowsers to true.
  • When printing from HTML5 Receiver to the Citrix PDF Printer, the user must click Continue to show the PDF. You can get rid of this prompt in 2.5.1 and newer. In the configuration.js file, scroll down to the line containing printDialog and set it to true.


  • From About Citrix Receiver for Chrome 2.0 at Citrix Docs: The new toolbar can be disabled or customized by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.

 

From Michael Bednarek at Citrix Discussions: There was a functionality change between StoreFront 3.0 and StoreFront 3.5 which affects the default client used for iPads. In SF 3.5, we default to using the native Receiver to launch apps on an iPad, as we expect this to be the majority use case. Unfortunately, on an iPad we are unable to actually tell whether you have the Receiver app installed or not, so we can’t do anything more intelligent out of the box.

There are two ways around this. Firstly, any iPad user can change between using native Receiver and using the HTML5 Receiver by going to the dropdown menu after logging on, and choosing “Change Receiver”. This will give you the chance to choose the HTML5 Receiver (“Use light version”) and your choice will be remembered for the next time you log on.

If this is no good, you can use a JavaScript customization to get back the old behaviour and make sure that iPad users default to HTML5.  See the forum post Cannot access citrix apps from ipad using HTML5 receiver post upgrade to SF 3.5 for the Javascript code.

 

If HTML5 Receiver is enabled, Chrome and Edge users have the option of selecting either native or HTML5 by clicking “Change Citrix Receiver“. To enable this option in IE or Firefox, see Emin Huseynov Citrix StoreFront 3.0 and HTML5 client.

 

From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support, on every VDA set the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional Formats\HTML Format\Name=”HTML Format”. Create any missing registry keys. This applies to both virtual desktops and Remote Desktop Session Hosts.

 

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • How to view HTML5Client log file

Deploy Citrix Workspace app / Receivers

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Deploy Citrix Receiver page, check the box next to Allow users to download HDX engine (plug in).
  5. Change both source drop-downs to Local files on the StoreFront server.
  6. For Windows, download one of the following:
    • Workspace app for Windows (version 1809). Workspace app is the new name for Receiver.
    • Receiver for Windows version 4.9.4000 (LTSR)
    • Receiver for Windows version 4.4.5000 (LTSR)
  7. For Mac, download Workspace app for Mac 1808Workspace app is the new name for Receiver.
  8. Click both Browse buttons and browse to the downloaded Workspace app and/or Receiver.
  9. You can optionally enable Upgrade plug-in at logon.
  10. Click OK when done, and Close when done.
  11. When users connect to Receiver for Web, they will be prompted to install or upgrade. Note: this only applies to Receiver for Web. Receiver Self-Service will not receive this prompt.

Safari 12 and Newer  💡

Safari 12 and newer disable NPAPI, so StoreFront 3.15 and older must be configured to use Receiver Launcher instead of NPAPI. StoreFront 3.16 and newer versions of StoreFront will already have this modification.

  1. Go to C:\inetpub\wwwroot\Citrix\StoreWeb and edit web.config using an elevated text editor.
  2. Near line 56, which starts with <protocolHandler, change the platforms attribute to the following. Essentially, you’re adding Safari 12 on Macintosh to the end of the regex. (source = Citrix Blog Post NPAPI support is being removed from Safari 12)
    "(Macintosh|Windows NT).*((Firefox/((5[2-9]|[6789][0-9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))|Macintosh.*Version/(1[2-9]|[2-9][0-9]).*Safari/"

  3. Save the file. Later, you will need to Propagate Changes.

Receiver for Edge

The Receiver for Web experience in Microsoft Edge is not ideal. Every time a user clicks an icon, the user has the click the Open button after the .ica file is downloaded.

Citrix Blog Post Providing Full Receiver for Web Experience for Microsoft Edge has instructions for enabling the Receiver Launcher for Edge. Use your preferred text editor to open web.config for the RfWeb site you would like to configure (typically C:\inetpub\wwwroot\Citrix\StoreWeb\web.config). Locate the line like this: <protocolHandler enabled="true" platforms="(Macintosh|Windows NT).*((Firefox/((5[3-9]|[6789][0-9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))(?!.*Edge)". Remove (?!.*Edge) and save the file.

But once you do that, you get a new switch apps prompt every time you launch an icon from Edge.

To stop the switch apps pop-up, on the client side, edit the registry, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\receiver (create missing registry keys), create DWORD value WarnOnOpen, and set it to 0 (zero).

Receiver for Web Timeout

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Session Settings page, set the Session timeout as desired, and click OK.
  5. If you are using a NetScaler, you will need to change the Global Session Timeout located at NetScaler Gateway => Global Settings => Change Global Settings (right pane) => Client Experience (tab) => Session Time-out (mins).


  6. From CTX215701 How to Configure Session Timeout on StoreFront: If you increase the session timeout for RfWeb to be more than 1 hour, you have to also increase the maxLifetime appropriately in c:\inetpub\wwwroot\Citrix\Authentication\Web.config.
  7. If your desired timeout value is greater than 8 hours, you should also edit tokenLifeTime in c:\inetpub\wwwroot\Citrix\StoreWeb\web.config.

Default Tab

  1. By default, when a user logs in to StoreFront, the Favorites tab is selected. Users can go to other tabs to add icons to the list of Favorites.



  2. Trentent Tye has a simple customization for C:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js to default to the Apps tab if the user doesn’t have any favorites. See Citrix Storefront – Adventures in customization – Default to “Store” view if you have no favourited app’s.
    CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
     /* If the user has no favorited apps, set the view to the apps view */
     if (CTXS.Store.getMyApps().length == 0) {
     CTXS.ExtensionAPI.changeView("store")
     }
    };
  3. You can completely remove the Favorites tab by going to Stores > Configure Store Settings > User Subscriptions, and choose Disable User Subscriptions (Mandatory Store).

  4. You can change the default tab and tab visibility by going to the Stores > Manage Receiver for Web Sites > Configure > Client Interface Settings page.
  5. When publishing applications in Citrix Studio, specify an Application category so the applications are organized into folders.
  6. If you change the default tab to Applications, then you might also want to default to the Categories view instead of the All view.
  7. To default the Apps tab to the Categories view instead of the All view, add the following code to the end of the file C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js. More details at Storefront 3.0 – change default view at Citrix Discussions.
    CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
         CTXS.ExtensionAPI.navigateToFolder('/');
    };
    
    CTXS.Extensions.onViewChange = function (viewName) {
      if (viewName == 'store') {
        window.setTimeout(function () {
        CTXS.ExtensionAPI.navigateToFolder('\\');
        }, 0);
      }
    };
    

  8. Then when you login to StoreFront you’ll see Apps > Categories as the default view. This works in Receiver too.

Beacons

  1. On the left, right-click Stores, and click Manage Beacons.
  2. Configure an Internal Beacon. Receiver Self-Service tries to connect to the Internal Beacon to determine if Receiver is currently internal or not. If the Internal Beacon is reachable then Receiver Self-Service assumes it is internal, and thus connects to the StoreFront Base URL. If the Internal Beacon is not reachable, then Receiver Self-Service assumes it is external and thus connects to NetScaler Gateway. For this to work properly, the Internal Beacon must not be resolvable externally.
    If you are not doing Single FQDN, then the Internal Beacon can be the StoreFront FQDN since the StoreFront FQDN is usually only available internally.
    If you are doing Single FQDN, then you can’t use the StoreFront FQDN. Instead, you must use a different internal website for the beacon. If you need to support internal iPads, due to differences in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL. If internal iPads are not needed, then the Internal Beacon can be any internal website.
    If you want to force internal Receiver Self-Service users to connect through NetScaler Gateway (for AppFlow reporting), you can set the Internal Beacon to a fake URL. Since the Internal Beacon is never resolvable, Receiver Self-Service always uses NetScaler Gateway. Or you can use Optimal Gateway to achieve the same goal.
  3. The External beacons are used by Receiver Self-Service to determine if the Receiver Self-Service has Internet access or not. You can use any reliable Internet DNS name. Click OK when done.

Propagate Changes

Any time you make a change on one StoreFront server, you must propagate the changes to the other StoreFront server.

  1. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
  2. You might see a message saying that you made changes on the wrong server.
  3. Click Yes when asked to propagate changes.
  4. Click OK when done.
  5. When you propagate changes, the default web page is not replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Export/Import StoreFront Configuration

Use the following PowerShell cmdlets to export StoreFront Configuration into a .zip file (encryption optional) and import to a different StoreFront server group:

  • Export-STFConfiguration
  • Import-STFConfiguration

See Export and import the StoreFront configuration at Citrix Docs for details.

Auto-Favorite

To force a published application to be favorited (subscribed), use one of the following keywords in the published application description:

  • KEYWORDS: Auto = the application is automatically subscribed. But users can remove the favorite.
  • KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the favorite.

With Mandatory applications there is no option to remove the application from Favorites.

Logon Simulator

ControlUp has a free Logon Simulator for StoreFront and NetScaler Gateway. You can run it on any machine to periodically test app launches from StoreFront.

The tool creates entries in the Application Log in Event Viewer. The events can be consumed by your monitoring tool.

Related Pages

183 thoughts on “StoreFront 3.5 through 3.16 – Basic Configuration”

  1. Did modifying that regular expression on the StoreFront web.config file seem to break the Receiver detection for anyone else? After changing that expression if I uninstall my Mac Receiver and try to log back into StoreFront it enumerates and skips the detection and prompt to install the 12.8.1 Receiver we are pushing out.

  2. I am trying to create a duplicate published and only have it viable in the zone the machine opening receiver is located in so as to have the application run from a local host in the zone the receiver is located. Could you point me to the documents defining this sort of configuration?
    Thanks
    Peter

    1. I think you need to configure your load balancer to add the header X-Citrix-ZonePreference with zone name to your StoreFront HTTP traffic from these clients. Or, if the users are always in the same location, then you can configure zone preference based on user group.

  3. Hi Carl,

    i have a strange issue

    when internal users (my domain users) trying to access my XenApp farm through Citrix receiver either on Netscaler either Storefront directly, receives Socket error 10038 unable to contact server, in the same time external access through Netscaler works fine.

    Have you something in mind?

    Thanks in advance

    1. Are you saying that it works through a browser but not through Receiver?

      When going internal direct, I think Citrix defaults to returning the FQDN of the VDA instead of the VDA’s IP address, which means the client machine must be able to DNS resolve the VDA’s FQDN. When going through Gateway, Receiver only connects to Gateway, and doesn’t need to connect directly to VDAs.

      1. Not working either through browser nor through Receiver and the DNS is able to resolve successfully VDA’s FQDN.

        Citrix farm is deployed on Azure

        when i try through Azure VM with receiver internally the connection worked without socket error

        but my local users establish connection through VPN tunnel with Azure VDA ‘s

        Regarding above information , can you think something else? maybe beacons?

        Thanks in advance

  4. Hello Carl,

    Thanks for all that information! I have a doubt about which kind of receiver I’ll use in my Xenapp 7.x enviroment, I have the lastest version of SF but I cannot find any discuss about HTML5 vs Windows Receiver, Pros vs Cons, something like that, did you wrote some article about that or do you know any one?

    Thanks !

    1. Windows Receiver is fully functional. HTML5 Receiver has fewer features, but does not need to be installed. HTML5 Receiver also has a requirement for SSL WebSockets, or internal NetScaler Gateway, whereas Windows Receiver works fine without ICA certificates.

  5. Hello, looking for some info on whether there is a limit on how many sites/farms can be managed through a single store in Storefront 3.0.1? Any help is appreciated

  6. Hi Carl. I just recently did an in-place upgrade from Storefront 3.7/Director 7.11 to 7.15LTSR CU (SF 3.12.2000.8)
    When I completed the upgrade and rebooted my Storefront server, it lists 7.15LTSRCU for Director and Storefront in the Programs and Features, but still has Citrix XenDesktop 7.11. There are still folders for XenDesktop, but when I launch Storefront it opens the new version. I’m afraid if I uninstall it, it might remove files from the upgrade. Any ideas?

  7. Just a question on Storefront Upgrade. I am upgrading to 3.12 and you mentioned that we need to export configuration. In a normal upgrade, does it actually wipe the configuration or you export just because of a “just in case” situation – to be on the safe side..

  8. Hi Carls,
    I have two storefront servers having version 3.6 running on WS 2008 R2. I want to add two new storefront servers having version 3.12 and want to propagate the changes from existing servers to New servers. Just want to confirm if propagation possible with different Storefronts versions servers running on different windows servers.

    1. Not supported. You’ll need to upgrade the existing ones first. Or export the config from old and import to new.

  9. Hello Carl,
    How can I set up two stores one expecting http and the other expecting https on the same server.

    Essentially I currently have users using the http site, but I am deploying new machines with the receiver on them. I want to deploy a SSL store since I am pushing out receiver withouth affecting my existing users’s experience. As such I need a store with an https base URL ( I think) can I host multiple BaseURLs on the same SF server to accomodate the secure and insecure stores?

    Thanks for the wealth of information you provide.

    1. I don’t think browsers care how you connect. Receivers insist on https.

      In the RfWeb > Configure > Advanced Settings, make sure Loopback Processing (the third line) is set to OnUsingHttp.

      http vs https is an IIS and Base URL setting. It has nothing to do with the store.

  10. Hosts file:

    If the Load Balancing FQDN (e.g. storefront.corp.com) and NetScaler Gateway Callback FQDN (e.g. callback.corp.com) are listed in DNS why would we need the Hosts File edited?

    We have 2 x HA pair of NetScalers, DMZ Pair are the NetScaler GW and Internal HA Pair are the NLB pointing at our 2 x StoreFront Servers. Everything is 7.15 are NetScaler 12

    We use a signal FDQN for access both internally and externally.

    1. It used to be more important when StoreFront did not support loopback and you had to add the Base URL FQDN with 127.0.0.1 address.

      Different environments resolve DNS names in different ways. I usually ping the name to make sure it resolves to the Gateway that I need it to go to. If not, then I modify the hosts file.

  11. Hi, I am having problems to open apps from remote access, I have the Storefront natted and this was access by the client, however after login-in in the web interface, and clicking the application users receive this error “unable to launch you application, ……. cannot connect to the citrix xen app server. there is no citrix xenapp server configured on the specified address.”

  12. Hi Charl, I was wondering if you know of a way to suppress the ‘Open Link’ window that popups when passing a file to the local browser. The popup window only remembers the ‘Yes, Open in device’ for the current session, next time round it shows it again. Our users don’t like it popping up all the time

  13. Hi Carl,

    I have an issue regarding to SSL certificate.

    We use XenApp&XenDesktop 7.15.1000. StoreFront server is XDSF01(primary) and XDSF02. Base Url: https://citrix.companyname.corp/. We use InfoBlox as DNS solution. I add “citrix” as alias to XDSF01 and XDSF02 servers.

    The issue is when connecting to https://citrix.companyname.corp/, users will see a certificate error webpage. “There is a problem with this website’s security certificate.” Users have to click continue to get to the StoreFront website. However, if connecting to https://xdsf01.companyname.corp/, then there is no error. Users can get to the StoreFront website directly.

    I use this way to create certificate: MMC – Certificate(Local Computer) – Request New Certificate – Properties – Add Common name “CN=citrix.companyname.corp” and Add DNS “citrix.companyname.corp”.

    However, after certificate created, in Certificate Details tab, I see the value of Subject Alternative Name is automatically changed to “DNS Name=XDSF01.companyname.corp”. I tried several times but still the same.

    Do you think it is the cause of my issue? If so, can you please kindly advise how to fix it? Thanks a lot.

      1. Yes, we are using Microsoft CA. Can you please advise me where I can check the setting for “accept SAN”? Thanks.

          1. Hi Carl,

            I ran the command on our CA server (Win2008r2 OS) and restarted the certificate service, but I still cannot add SAN in the certificate.

            The certificate template I am using is Computer. Here is how I requested a certificate. On one of StoreFront server, MMC -> Certificate(Local Computer) -> Request New Certificate -> Configured by your administrator -> Under “Active Directory Enrollment Policy”, check “Computer” template -> click Properties to add Common name “CN=citrix.companyname.corp” and add DNS “citrix.companyname.corp”. -> Enroll.

            Btw, we use F5 to load balance two StoreFront servers. It works well. We don’t have NetScaler. The only issue for us is this certificate error when accessing storefront through https.

          2. I wonder if the Computer certificate template won’t accept subject names in the request. Can you try the Web Server certificate template?

  14. Carl,
    I am having a issue with the timeout for storefront. If I set my session time out to 15minutes and I have an app that I am actively working in it still time out so if I need to login to another app I am prompted to login again. Is there a workaround to this?

    1. StoreFront and sessions are separate timeouts. There’s no link between them. There’s no way for StoreFront to know that you are actively working in a published app.

      1. ok, how about the gateway. I am using netscaler, can I have the gateway time out instead or will it not know that I have an active app running?

        1. Gateway has a timeout for StoreFront (AAA) but I don’t think it applies to sessions (ICA). Otherwise, same story – AAA / StoreFront doesn’t know what you’re doing in ICA.

          1. ok. here is what I am trying to accomplish, maybe you can let me know if it is possible and how to go about getting it done.
            user connects to NS GW after they authenticate it passes them to SF. They open a published app and they are working, I want to be sure that if they walk away and the session is inactive for let’s say 15 minutes that the app closes and the session terminates so they are forced to login again. (the app close part I am using GP for remote desktop which works). The other part is that I need that session to close so they are forced to login and if they are still active in a specific app for more than 15 minutes and they then decide to open another app it should open without prompting to login.
            Please let me know how to go about getting this done.
            thanks.

          2. RDS Timeouts (GPO) control session idle timeouts.

            Receiver for Web timeout is usually much lower (e.g. 15 minutes) and usually times out much quicker than the session. It’s the Receiver for Web timeout that dictates if a login is needed again.

            If users launch multiple apps, it might be easier for the user if you publish a desktop. Once on the desktop, the user can launch anything. And only the session (RDS) timeout applies.

  15. Hello Carl,

    I’ve tested to create a new account without password, but when I logon to SF without inputing the password, it prevents me from logon and message shows “Please input your password”.
    Is this by design? Or any configurations we can change to logon without password.

    1. Are you trying to do Anonymous apps? If so, you can create a Store that’s specifically for Anonymous.

      Or are you trying to do Citrix FAS?

Leave a Reply