NOTE: An up-to-date blog with NetScaler 10.5 and Storefront 2.5.2 can be found here!
In this blog I will describe step-by-step how to configure the Citrix NetScaler Access Gateway VPX with Citrix StoreFront. Including uploading the VPX to the XenServer, configuring the NetScaler, creating and installing the SSL certificate, creating the Access Gateway and the configuration of it, the redirection to the Citrix StoreFront server and finally the configuration of Citrix StoreFront server itself.
Before you begin make sure you have Java Runtime installed and that you have a license file for the NetScaler. The Citrix NetScaler Access Gateway needs a SSL certificate, make sure you can create a key by a CA. For this blog I will use and describe the step for creating the key by Go Daddy.
To install and configure Citrix StoreFront 1.2 see my previous blog here.
Downloading and Uploading the NetScaler Access Gateway VPX to the XenServer
For this installation I will download “Access Gateway VPX for XenSever Build 10.0.73.5002e Enterprise Edition” from the Citrix website.
After downloading the VPX, open XenCenter, open the File menu and choose the option Import…
Browse to the VDX and click on Next
Select your XenServer and click on Next
Select the storage you want to upload the Netscaler to and click Import
Select the network interface you want to connect to the Netscaler to and click Next
Click Finish
Configuring the Netscaler Access Gateway VPX
Start the NetScaler and go to the Console tab of the virual machine (XenCenter). Enter the desired IP Adress (this will be the management interface IP address a.k.a. NSIP), Netmask and Gateway address.
After entering all the network information there should be a menu to appear, but in this version of to the NetScaler it is not the case. From earlier versions I know option 4 is “Save and Quit”, so type in number 4 and hit Enter
After rebooting the Netscaler, open Internet Explorer and enter the NSIP address (management interface IP address). Login with User Name; nsroot and Password; nsroot
In the Configuration page, click Setup Wizard..
Click Next
Enter the Host Name (bearing in mind the license file where the name is case sensitive). In my case the resource servers are on the same subnet, so I choose the option Mapped IP and fill in the IP Address and Netmask.
Click on Manage Licenses
Click on Add to browse to your license file.
Click OK
Click on No (!!)
Click on Next
Click Finish
Optionally click on Configure Time Zone
Select the correct time zone and press OK
Click Exit
Click on Reboot
Select Save configuration and press OK
Installing the SSL Certificate
On the Configuration tab go to the SSL menu, on the right side of the screen click on Create RSA Key
Fill in the following information;
Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above
Click on Create and then Close
The next step is to create a request that needs to send over to the CA. On the right side of the screen click on Create CSR (Certificate Signing Request)
Fill in the following information;
Request File Name: “name”.REQ, anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Common Name: This is the address the users will type in their browsers
Organization Name: The name of your organization
Country: Your Country
State or Province: You State or Province
Challenge Password: A password you like
Click on Create and then Close
The .REQ file needs to be download for importing it to the CA. Go to “Manage Certificates / Keys / CSRs”
Select the .REQ file and click Download. Click on Browse to give a “Save in” location, click on Download and then Close.
Open the .REQ file in Notepad and copy all the text. Go to your CA (in my/this case Go Daddy) to create the key or re-key an existing certificate by pasting the text from the .REQ file.
After creating the certificate, download it. Select IIS7 as server type.
After downloading the certificate, go back to “Manage Certificates / Keys / CSRs” under the SSL menu of the NetScaler and Upload the .crt file.
Go to the menu SSL > Certificates. On the lower side on the screen click on Install..
Fill in the following information;
Certificate-Key Pair Name: Any name you want
Certificate File Name: Browse to the .crt file you just uploaded
Private Key File Name: Browse to the .KEY file created earlier
Password: The password entered when creating the request
Certificate Format: PEM
Click on Install and Close
After the installation you can see the status and the number of days the certificate expires.
Create the Access Gateway Virtual Server
On the Configuration tab go to VPN and then on the right site click on Access Gateway wizard
Click on Next
Fill the IP Address, this is the IP address the outside IP address must point to. Fill in port number 443 and the Virtual Server Name (anything you like). After this Wizard configure your router and/or firewall to redirect port 443 (and optionally port 80) from outside to this IP address.
By Certificate Options choose Use an installed certificate and private key pair. By Server Certificate choose the certificate installed in the previous step.
Fill in the DNS Server IP Address of your DNS server, leave WINS IP Address blank. Choose DNS as Name Lookup Priority and click next.
Choose LDAP as authentication type. By Connection Settings fill in the requested information as shown in the screenshot above and click on Retrieve Attributes
Click OK
Set Configure Authorization to Allow. Optionally you can enable Port 80 redirection. Click Next
Select what is applicable and click Next
Click Finish
Click Exit
The next step is to configure the LDAP server and LDAP policy and assign it to the Access Gateway. Go to menu VPN > Policies > Authentication/Authorization > Authentication > LDAP. On the right side of the screen select the Servers tab, on the lower side of the screen click Add
Fill in the following information;
Name: Any name you want
IP Address: The IP address of your AD Domain Controller
Base DN (location of users): Distinguished Name of the domain
Administrator Bind DN: A domain administrator account name
Administrator Password: The password of the domain administrator account
Confirm Administrator Pass: Same as above
Click on Retrieve Attributes
Click OK
Click on Create and Close
Go the Policies tab and click Add
Fill in the following information;
Name: Any name you want
Server: The LDAP server created in the previous step
Select True value and click Add Expression, then click Create and Close
Go to menu VPN > Virtual Servers on the right side of the screen, right click the server and click Open
Go to the Authentication tab and click on Insert Policy to apply the policy created in the previous step. Click OK
At this moment you can already logon to the NetScaler with the external URL (you must configured the router to allow the 443 traffic to the Access Gate IP Address).
Configure Access Gateway to redirect to Citrix StoreFront
Go to menu VPN and on the right side of the screen click Published application wizard
Click Next
Select the Virtual Server Name created in previous steps and click Next
Enter by “Web Interface Address” the internal web address of the Citrix StoreFront server. By “Single Sign-on Domain” enter your domain name. Click Add to add the STA’s of your XenApp server(s) and/or XenDesktop server(s) in this format: “http(s)://<servername>”. In previous versions it was needed to add “/scripts/ctxsta.dll” to this path, but with this version of the NetScaler it’s not needed (In my case).
Click Next
Select “SETVPNPARAMS_POL” and click Next
Click Finish
Click Exit
Citrix StoreFront has by default a “Green Bubble” theme. This theme is also available in the NetScaler Access gateway. To configure the same theme on the NetScaler go to menu VPN > Global Settings and on the right side of the screen click Change global settings.
Open the Client Experience tab and select the GREENBUBBLE UI Theme. Click OK
Go to the Published Applications tab and set ICA Proxy ON. Click OK
Configure Citrix StoreFront
The final step is to configure the Citrix StoreFront server to work with the NetScaler Access Gateway.
Go to the StoreFront server and open the Authentication tab, on the right side, click on Add/Remove Methods
Select all the options and click OK
Go to the Gateways tab, on the right side of the screen click Add Gateway Server
Fill in the Display name (any name you like). In the Gateway URL field fill in the external NetScaler address users will enter in there browsers (https://..) and add “/Citrix/<storename>Web” to the end of it (see screenshot). Click Next.
Fill in the Callback URL, this is the external NetScaler address (https://..) click Next.
Click Add and enter the STA’s of your XenApp and/or XenDesktop servers and click OK
Click Create
Click Finish
Go to the Stores tab and click Enable Remote Access
Select Full VPN tunnel and click OK
At this point everything should be working fine. If the NetScaler does not successfully forward to the StoreFront website make sure the NetScaler can find the NetBIOS name of the Citrix Storefront server (or alias). If this is not the case add the DNS Address record of the StoreFront server (or alias) to the DNS of the NetScaler.
You can now access the Citrix NetScaler Access Gateway with the https://<server adres>
After the logon you will be redirected to the Citrix StoreFront server with the same UI Theme.
Troubleshooting
Cannot Complete your Request
When receiving this error, make sure you applied the following:
Edit the Windows Host file and add a new entry with the IP Address of your (internal) Gateway VIP Address pointing to the external address. For example; 192.168.1.5 citrix.robinhobo.com
As an alternative you can create a DNS record
61 comments. Leave new
Nice Article!
I noticed in some newer versions (i’m running NS10.0: Build 74.4.nc, Date: Feb 18 2013, 03:27:14
) there is no UI option green bubble anymore!
keep up the good work!
Jan
Thanks!
Jan- The UI customization pull-down is currently only available in the enhancement builds of the NetScaler. Not on maintenance.
thanks for the post, we plan on testing this config to replace CSG.
I was wondering about the network design for this config. Do you have the VPX in the DMZ and storefront on a windows box on the internal network?
Yes, the NetScaler VPX is in the DMZ, the StoreFront servers are on a Servers VLAN.
Loved your post !! one question are both the gateway vm and the Netscaler app supposed to be on the DMZ ? my current setup is gateway is on the DMZ and the Netscaler app is on the internal lan with a Mip that is also on the also on the same lan.
thanks for the help 🙂
Thank you. For this post the NetScaler and the Access Gateway are in the DMZ, but you can install the Access Gateway in the DMZ and the NetScaler on the internal LAN, no problem.
Very nice step by step!
Thanks.
Thanks so much!
It’s not working for me, but one question, do you need log in two times or just one time and then you will be redirected to your apps directly?
If you have configured your StoreFront as as described in above blog you only have to log on once. (at the NetScaler interface). What is not working for you?
From the beginning I had problems with authentication. On netscaler it’s ok but when redirect me to storefront is not working and even is I put my credentials I can’t log in. SSL is fine but there is no way. Any ideas? Internally I can log in to storefront. Netscaler is in DMZ.
If you add the following entry to the host file on every StoreFront server the problem is probably solved: “IP address Access Gateway server” “external address” (for example: 192.168.10.38 access.domainname.com)
Hi Robin ,
I have the infamous 1100 error from time to time ….
setup : netscaler 10.5 ( DMZ) storefront 2.6
will the host file will help in my case or other fixes ?
thanks for your help
Other question
How to configure store access through netscaler. Web works ok. Thanks for your help.
Very nice blog! Everything worked for me via the web client, but the receiver client won’t work either internally or externally. Any tips greatly appreciated.
Does this not work if the StoreFront server is running HTTPS?
I have followed the instructions and when I go to my NAGEE site it changes the URL to https://access.mydomain.com/Citrix/stornameWeb but I just get a 404 error.
As i’ve poured over the guide again and again the only difference I can find in my setup is my Storefront server is running HTTPS.
Nevermind I think I figured it out. In the published application settings i changed the URL for my storefront server to http instead of https and it seems to be forwarding through now.
It looks like I have some quirky authentication issue to overcome and I should be in business.
Thanks very much for the clear step-by-step instructions. It really helped a lot!
Only thing is that on my VPX appliance, which I downloaded only a week ago, so it should be the latest version, I did have to add the extension /scripts/ctxsta.dl to the STAs in order to be shown in the UP status.
Other thing is NOT to add the domain suffix to the host name of the Netwescaler when you run the Setup Wizard. I did, but only after I removed it, I could log on and start the Desktop. Before I got the infamous “Connection error 1030” error.
Great guide. Can you advise if you have to configure profiles and http headers for legacy clients the way you need to with Web Interface?
If so is it possible to add this to your guide for reference?
Chris,
i think i have this error here. In which wizards you didnt add the domain suffix?
Regards, Falko
Good document I’m stilling having some problems, in my internal network I can access the GW server which redirects to Storefront and logons work, I can see applications from both XenApp and Appcontroller although none of them launch yet (get SSO and other errors).
If I try to access the gateway externally I can only do so via the external IP address and while it brings up the Storefront logon details it will not actually log me in so I’m a bit baffled, I’ve followed all guides that I can see. Any help appreciated
This may be a few things.. Do you have enabled “Pass-through from Citrix Access Gateway” as authentication type in StoreFront? Do you have set the Callback URL correct, and can you add you external URL to you local host file pointing to the internal IP adress of the Access Gateway (on the StoreFront server). Can you also check if your STA’s are properly set within Storefront?
Hello,
Is it easy to configure Active sync for smartphone with Access Gateway?
Thank you for this article.
Hi Robin,
Thanks for nice article.
What will be STA path for XenDesktop 7 ???
– Yash Pradhan
For Citrix XenDesktop 7 the STA path is exactly the same as for Citrix XenDesktop 5.6.
Thanks Robin for your quick help!!!
Thank you for a very informative, well documented article. I followed it, & IT WORKED!!!
Thank you
Hi Robin, Great post and thanks for the effort you put into your posts.
I hope you can help me with something. I’ve followed it just as you have posted but when I authenticate at the access gateway it brings me to the storefront fine. I can’t log in there though. When I enter the username and password nothing happens, it just looks for the password again. No warning messages or anything.
Any ideas?
Thanks
Conor
Conor, If you add the following entry to the host file on every StoreFront server the problem is probably solved: “Internal IP address Access Gateway server” “external address” (for example: 192.168.10.38 access.domainname.com). Also check if your STA’s are correct and that the NetScaler Authentication type is enabled within StoreFront.
Thanks Robin,
No joy with that. STA’s are all showing green and remote access is enabled.
Hey Guys … I’m facing the exactly same problem connor talked about.
I’ve also tried the hosts file solution in both of my store front servers, but no deal.
Any clues ? Almost losing the few hairs I have.
Hello Robin,
Do you have any experience with Receiver for WindowsRT and netscaler 10.0 with strorefront?
Greetings,
Evert-Jan
I’ve tried it on my Surface tablet, but it does not work since I use StoreFront 2.0. Can make the connection, but don’t see my Published Apps and Desktops. Hope they come soon with a Receiver for Windows RT update which do support StoreFront 2.0..
Thanks for the great article, I followed your instructions and got it working up to the point of trying to launch an app.
I am able to log in through the Netscaler Gateway my apps are listed after authenicated but when I click on one to try to launch it I am given a message saying simply “Cannot Start App”
If I navigate directly to the storefront server I am able to start the app fine. Any ideas about what might be going on?
Thanks again for your help.
Hi Dustin R, I get the exact same problem. Logging on to the store locally I can start the published apps but through the netscaler I can list them but get an error msg when trying to start them. Did you solve the problem?
Maybe it will help – was useful for me: There is a documented bug in all versions of StoreFront (including 2.5) which prevents StoreFront from authenticating users when Remote Access option is enabled but passthrough authentication not utilised.
To work around this, edit the web.config in the inetpub\wwwroot\\web.config
Search for the requireTokenConsistency=”true” and change this to requireTokenConsistency=”false”
Save the file.
(found on http://neil.spellings.net/2012/12/02/how-to-use-different-usernames-for-two-factor-authentication-on-access-gateway-advanced/)
Hi, Do you require additional licenses for storefront if you have Xenapp enterprise licenses?
No, if you have a XenApp license, you can use StoreFront with no extra charge.
Thanks for Documentation!!!
Robin, I’m a bit confused, probably just being stupid, but where / how do I configure my Access Gateway internal IP address? Going through the installation I have ended up with a single IP address for the Access Gateway, which is on the external network. I have two seperate networks 10.0.1.0 (External) and 192.168.1.0 (Internal) and I am getting very confused trying to configure the networking for Netscaler and Access Gateway.
The first IP address are for the NetScaler itself, in this post after installing the SSL certificate I started the Access Gateway wizard. Here you configure the Access Gateway IP address.
Hi Robin,
Great article, my question is about the STA’s. Should they be my XenApp servers or can I point them to my StoreFront server? Storefront sits on a different server to any of my XenApps.
Thanks
J
You need to configure your XenApp or XenDesktop controllers as STA, not your StoreFront server.
Hi Robin, How can I configure the access gateway AND storefront 2.0 for ipad and mobile device access?
Hi Robin,
Excellent article buddy, it has helped me out loads.
Can you kindly give some insight into how VPN access (access to networkshare’s and resources not Xenapp or XD) is setup in a netscaler environment?
I am a little confused.
This site was… how do you say it? Relevant!!
Finally I’ve found something that helped
me. Thank you!
Hi Robin,
I was not able to make it work in ly lab – yet. I am using a newer version of Netscaler VPX (10.1) and a newer version of StoreFront (2.1) so it looks slightly different.
I am confused by the Callback URL. The URL ends with /CitrixAuthService/AuthService.asmx. ASMX is an extension which I see being used for web service endpoints on IIS, but the VPX is running FreeBSD so I don’t understand how the VPX is listening for web service calls at this URL I configured it with the address of the virtual server running on the appliance, is that correct?
Thanks,
Matthias
Great guide.
For me I’m still having problems opening and starting apps externally, internally everything works fine.
Externally everything works fine (login, autologin on storefront) but it stops when I open the application. It gives me the ica and starts the app but it keeps saying “connecting” and eventuall giving me error 1030.
We are using proxy.
Any ideas?
Thanks,
Thijs
It seems that the NetScaler cannot connect to your XenApp/XenDesktop server where the app/desktop is hosted. Are there any firewalls that blocks the connection?
Can this be done using https to the storefront site?
Yes, it’s even recommended.
Hi Robin,
thanks for this great article.
Do you make a new article with Netscaler ADC 10.1 and Storefront 2.1 in the future?
Thanks,
Chris
Thanks! I have no plans to write that blog, maybe with a new mature release of the NetScaler.
Hello Robin,
I have a question regarding NetScaler AG and STA. I have one StoreFront, one Delivery Controller and one XenApp Server in my internal network. From there everything is working fine. But when I connect from external through NetScaler I got a HTTP 500 after login. Futhermore my STA is showing as down in the NetScaler console. Where do I find the ctxsta.dll or how can I make my XenApp server to become a STA? I am confused. Thanks in advance for your help.
Regards
Alex
By default, a XenApp server, a XenDesktop Controller and the Citrix AppController can be used as STA. Have you tried it with FQDN?
Hi Robin,
Top article, has helped me out a lot. Just wondering if this works with XenApp 7.5?
Yes, that works fine 🙂
I am trying to get applications to show up in the NetScaler Access gateway, but I get a “This content cannot be displayed in a frame”. I was wandering if anyone got this to work with 10.5 and Citrix 2.5.
My main use case is that I want to publish links securely but not host the hyperlinks on xenapp. This seems like a pretty basic function for this device.
Thanks alot
great article. You may also want to add in a step about creating either a hosts record on the storefront machines internally for the VIP for example 10.2.50.131.myinternaldomain.com or creating dns record. If you don’t have those setup then you may encounter issue after authenticating with the error “Cannot Complete your Request”
Hi Tony, thanks for the tip. Added a troubleshoot part at the end of this blog now. Regards, Robin