With the release of Citrix XenDesktop 7, Citrix also released Citrix StoreFront 2.0. One of the biggest improvements is that StoreFront does not use a Microsoft SQL database anymore! This simplifies the installation because you no longer need to run the database setup scripts. Also the HTML5 HDX Receiver is now fully integrated into StoreFront and is no separate installation anymore.
This guide describes the step-step installation of Citrix StoreFront 2.0, how to configure the StoreFront server, including secure connection over HTTPS, IIS default site redirection, HTML5 HDX fallback receiver and Remote Access with NetScaler Access Gateway.
For the secure connection over HTTPS you need to install a server certificate (described in this guide), make sure you have Active Directory Certificate Servers with the Certification Authority and the Certification Authority Web Enrollment roles installed in your environment. Also make sure the root CA is installed on every client and StoreFront server.
Installing Citrix StoreFront 2.0
Start the setup, select I accept the terms of this license agreement and click Next
Click Next
Click Install
Click Finish
The administration console will now start automatically. To enable a secure connection over HTTPS, it is important to first install the server certificate before configuring StoreFront.
Installing a Server Certificate
When using more than one StoreFront servers in your environment, make sure you have a DNS Host (A) record created pointing to the StoreFront load balancer address. It’s important to use that name for the server certificate.
Open the Internet Information Services (IIS) Manager and open Server Certificates
On the right side of the window click Create Certificate Request
Fill in the requested information. By Common name fill in the StoreFront load balancer address, for this case I use “storefront.hobo.lan”.
Select Microsoft RSA SChannel Cryptographic Provider and a 2048 bit length.
Save the request to a text file and click Finish
Open Internet Explorer and browse to http://<your Certification Authority server/certsrv
Click on Request a certificate
Click on advanced certificate request
Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Open the saved request file, select all text and copy the text into the Save Request field. Select Web Server as Certificate Template and click Submit
Select Base 64 encoded and click Download certificate to download the certificate file.
Go back to the Internet Information Services (IIS) Manager and click Complete Certificate Request
Browse to the certification file, enter a Friendly name, and select Personal as certificate store. Click OK
On the left side of the window, select Default Web Site, on the right side, click Bindings
Click Add
Select HTTPS as Type and select the StoreFront SSL certificate. Click OK
Click Close
Configuring Citrix StoreFront 2.0
In the next part I will setup the Store and configure the basic settings including adding the NetScaler, edit the authentication methods, configuring trusted domains and manage password options.
Open the StoreFront management console and click on Create a new deployment
The Base URL is filled in automatically, click Next
Enter a Store name (anything you like) and click Next
Click Add
Fill in the requested information about the Delivery Controller you want to add and click OK
If you want to add more Delivery Controllers click Add again, otherwise click Next
Now you can add the NetScaler Gateway. This step is optional, if you do not have a NetScaler configured in your environment you can select None. For this blog I will add my NetScaler, so I select Full VPN tunnel and click on Add
Fill in the requested information for the NetScaler. The NetScaler Gateway URL is “HTTPS://<domainname>/Citrx/<storename>Web”. The Subnet IP address is optional and can be left blank. Click Next
Click Add
Enter the STA of you Delivery controller and click OK
Click Create
Click Create
Click Finish
On the left side click Authentication, on the right side click Add/Remove Methods
Select what is applicable and click OK
Click on Configure Trusted Domains
When configuring a Trusted Domain, the user does not need to enter the domain name at logon. Configure what is applicable and click OK.
Click on Manage Password Options
Select what is applicable and click OK
IIS Default site redirection
In the Citrix StoreFront management console there is no option to set the StoreFront Receiver for Web URL to the server default website like the old Citrix Web Interface (WI). Without configuring Default site redirection, a user always needs to enter the full StoreFront Receiver for Web URL, including the “/Citrix/<storename>Web. A good way to configure this is within the Internet Information Services (IIS) Manager.
Open the Internet Information Services (IIS) Manager. On the left side browse to the Default Web Site. On the right side double click HTTP Redirect
Select Redirect requests to this destination and add your StoreFront Receiver for Web Site URL. Select Redirect all request to exact destination and Only redirect requests to content in this directory. Click Apply on the button in the top right corner.
Now when a user enters the default web site URL he will be redirected to the StoreFront Receiver for Web URL.
Enable the HTML5 HDX fallback receiver
This cool feature is now fully integrated within StoreFront 2.0, you only have to enable it within the StoreFront management console.
On the left side click on Receiver for Web, on the left side click on Deploy Citrix Receiver
Select Use Receiver for HTML5 if local install fails, this will first check if a local Receiver is available and if not, the webinterface will give the option to download and install it. If the installation fails or the users logs in without installing it, the webinterface falls back to the Receiver for HTML5.
Or, select Always use Receiver for HTML5, now the web interface will always use Receiver for HTML5, it will not check for a local installed version and it will not give the option to download it at logon.
Click OK
If you connect to the StoreFront webinterface trough the NetScaler these steps are enough to let the HTML5 receiver work. But if you connect local to the StoreFront webinterface you have to apply the following Citrix Computer Policies to your XenApp and/or XenDesktop servers first;
WebSockets Connections – Allowed
WebSockets port number – 8008 (default)
WebSockets trusted origin server list – *
When using Mozilla Firefox users must set network.websocket.allowInsecureFromHTTPS to True in the about:config
You can now logon to the Citrix StoreFront webinterface and start your published applications and desktops.
If the HTML5 Receiver is configured well, a Windows 8 Published desktop will open in a new browser tab as shown in the picture above, how cool is that? 😉
63 comments. Leave new
best document for storefront 2.0..thanks a lot robin…
Thanks!
Hi, can we create storefront to access via internet? if yes, please provide the steps.
Chaitanya.
Hi Chaintanya, yes you can do that with the NetScaler Gateway. You can find the steps in this blog: http://www.robinhobo.com/configuring-netscaler-access-gateway-vpx-and-citrix-storefront/
Is it mandatory to use an ssl certificate for storefront, if so that means you need 1 certificate for Netscaler Access gateway and another for storefront?
It is highly recommended to use an SSL certificate for StoreFront but it is optional. For the NetScaler Access Gateway you need an SSL certificate to let it work correctly.So yes, if you want to use an SSL certificate for StoreFront you need 2 certificates.
Thanks for the great Post actually I’m planning to deploy the Store front 2.0 , App controller 2.8 and as Far as i know the integration between the store front and App controller just to integrate the Xen APP and Xen Desktop with App controller what i want to know what is the benefits of this integration this the first thing and the second thing regarding the certificate i just want to confirm the below:
in my topology i need one public IP Address on Netscaler and Signed Certificate from My CA to Store front and App Controller right.
Thanks very Much
thanks,
1, if you use 2 certificates for both access gateway and storefront, which common name will users type in browser to connect to published apps?
2, if storefront ssl certificate is optional, how do you skip that step when configuring it?
Hello Knight,
1) You use one certificate for the NetScaler with the common name you configure (external url like https://access.domain.com or https://citrix.domain.com), any name you like. See for the steps this blog: http://www.robinhobo.com/installing-and-configuring-netscaler-adc-vpx-10-1/
2) You can skip this step by not configuring a SSL certificate on the server where you going to install StoreFront. See this blog where I don’t use SSL for StoreFront, as you can see during setup it automatic will uses http not https: http://www.robinhobo.com/installing-and-configuring-citrix-storefront-1-2/
Hi Robin,
many thanks for your help, I now have my netscaler and storefront setup and working. I owe you an good ole English pint.
Any idea how I can change the receiver logo to my company’s one on the storefront front end?
Hi Robin,
Nice Article again thx! , I was testing this for html5 , access but some steps are missing. You also need to install the html 5 client pack at the storefront server and configure it as described at http://support.citrix.com/article/CTX134948 maybe adding that to this article to makes it completely perfect 🙂
Keep up the good work
Jan
Whoops my mistake .. you do not need to install the HTML5 HDX Engine with Storefront 2.0 anymore so forget my comments
Thanks alot, champ! Your article is informative and very helpful!
Thanks!
Thanks for this!
I do not have the “Deploy Citrix Receiver” option on the right. What am I missing?
Are u sure you are in the “Receiver for web” configuration page?
Hi Robin,
Great article…just what I need for installing StoreFront.
Quick question though does StoreFront 2.0 have legacy support for the services (If I say like the old web interface web services feature)?
If I remember in your 1.2 article you mentioned that version did wondered if this version did too.
Big thanks
Steve
Yes, StoreFront 2.0 has also legacy support.
Hi Robin great post!! but i´m a little confused.
I have a DC with AD CS and 2 StoreFront servers. I have a host A created
Where creates the certificate? in the DC or in each StoreFront Server?
Hallo Jack, does the A record point to an LB address? You can create the request file everywhere you like as long as you install the certificate on both StoreFront servers.
Yes, i have a NLB Cluster, thanks, I’ll test
Great, now work!!! this is the trick the FQDN of IP NLB, thanks my friend!!!!
I have another issue, in your example use NetScaler Gateway i not, i only set the controllers (XenDesktop) to work on HTTPS:443. But i get “there are no apps or desktops assigned to you at this time” if a change to HTTP:80 work fine, what is the problem?.
I have configured the IIS with certificate HTTPS and HTTP.
Great article. Thank you very much. Pretty much identical for the StoreFront 2.1 setup I am currently involved with
Nice Article Interesting..Thx for sharing..
I am new to XD coming from XenApp 5.0 and have a couple of questions:-
Q/
From what I have read, I can load balance 2 or more StoreFront servers without the need for a Netscaler, Is that correct?
Q/
If I apply for some SSL certs on the StoreFront servers, always use the load balanced FQDN as specified in DNS?
Q/
For the StoreFront Servers I have in mind, I will be installing the Deliver Controller component at the same time. To keep things simple, can I then point these 2 SF servers to the SQL box (Express preferred to keep the licence cost down).
By the way, great tech article!
Hello Chris,
You can load balance 2 StoreFront servers without NetScaler, you can configure it for example with NLB. Make sure that both StoreFront servers are member of the same StoreFront server group. For the SSL certificate always use the LB DNS name, otherwise it will not work. Install the SSL certificate on both StoreFront servers before starting the StoreFront configuration. StoreFront 2.0/2.1 don’t use a SQL database anymore.
Regards,
Robin
Hi Robin,
Please confirm that I do not need to set up an SSL cert on the windows NLB server, just the Storefront servers, using the NLB fqdn.
You need to install the SSL certificate on all the StoreFront servers that are part of de NLB, not the NLB server itself.
Have you found any issues with certificates on Storefront?
In the last couple of days I have faced a problem where something in the process of creating, completing and exporting the certificate that in the end will be used on the storefront server. Causes storefront to not work.
if you browse to storefrong using fqdn it never takes you to a logon page, but rather it returns a message that it cannot complete the request.
Could it be that if the CSR is not generated with on the storefront server, but on another server using IIS. That this would cause a problem?
I guess what I want to confirm, what is the best way to generate the CSR for a URL?
It does not matter where you create the CSR. To be sure, did you type /Citrix/ behind the fqdm url?
Hi Robin,
Thank you very much for sharing your knowledge on how to configure the various different Citrix components.
Do you happen to know of how to figure out the powershell scripts that get run behind the GUI when the Storefront is configured?
I would like to automate the install and configure as much as possible for lab use because I now use evaluation versions of Windows OS it just expires.
Great article
Hi
Great article. I am trying storefront in test lab without certificate . Followed everything u said above but when try to browse the store from internet explorer it comes with http 404 not found. Let me know how to troubleshoot pls
Thanks in advance
Did you type the full url, including /Citrix/ ?
many thanks Robin for sharing this great article !
First great article, 2 questions should you have 2 SF sites ie 1 for Internal and 1 for External also will redirection without SSL certs work from NS Gateway to Storefront
Thanks, you can use 1 site for both internal and external connections. Traffic from the NetScaler to the StoreFront can be HTTP but Citrix recommends to use HTTPS for internal traffic as well.
Hi,
Excellent article. I have gone through the steps and it works great..Can you guide implement Netscaler with MDM and App Controller
Hi,
In the section where you “Add Site Binding” to port 443, Do you not need to enter in the Hostname as well?
Thanks
Shaun
Hi Shaun, not if this is the only site on that server.
I have found this article and the one you wrote about configuring the NetScaler Access Gateway to be very useful to me in setting up my new XenApp deployment but I’m having some issues and have a couple questions that I’m hoping you can answer for me. I have a single XenApp server and I do not use a DMZ in my network. I have a Storefront server and a NetScaler VPX (the free one) set up.
1. Both of your articles that I mentioned above mention configuring and installing SSL certs. Do I need to purchase two separate certificates? (one for SF and one for NS) or can I get by with just a single one on the NS?
2. To get all of the autodiscover to work great for my users when they use the Receiver client (internally and externally), I should have all DNS pointing to the NS, right?
Thanks again for writing these articles. They’ve been very helpful.
Hello Chris, Only for the NS you need to purchase a SSL certificate, for the internal StoreFront you can use a SSL certificate created by your own CA as long as you install the Root CA on al your clients.
Great article especially for a newbie like me.
If using internal generated SSL for storefront servers, is there anything I need to configure on Netscaler to recognize internal CA or dos it matter?
Upload the Root certificate of your internal CA to the NetScaler to let it work.
Thanks a lot
Thanks Sir.
Your welcome!
[…] After I logged on to the SF01 I did an initial configuration of StoreFront, as you can see I’m using HTTP here but HTTPS can be used too and is recommended by Citrix (but not used for this blogpost). Robin Hobo did an excellent blogpost on how to configure StoreFront with SSL over here: Installing and Configuring StoreFront 2.0. […]
Many thanks for sharing great artical
hello,
This is an excellent document that you produced, I would like to know if you have a tutorial for mobile access to XenDesktop and xenapp via vpn without NetScaler
thanks
No, not at this moment.
I have installed the storefront and when I try to add the storefront to the Citrix Studio MMC I get the following error.
Exception:
Citrix.Console.Models.Exceptions.ObjectNotFoundException Cannot find path ‘GPO_SfStorefrontAddress_User:\User\Unfiltered\Settings\Receiver\StorefrontAccountsList’ because it does not exist
Ok I got it. I was trying to add the store from a remote console!
Great article, thanks…I have a working StoreFront 2.5 which I successfully can approach from Chromebox in case no proxy server is filled in, the moment I fill the proxy server in order to allow clients use the internet directly I can log on the StoreFront, I see the apps but I can not start them; any thoughts on this issue will be apreciated
Hi Marius, what error do you get?
Great Article,Thank you
Just one to point out
All of your articles are really good.
Thank you for making a difference for all of us in the industry.
Thanks Lawson!
Thanks Robin! I’m glad to know there a people sharing knowledge.. Cheers from Brasil!
Thanks for great article.
Awesome articale Robin. Quick question if I purchased a certificate from Go-Daddy, how would that apply in this article of yours? Do I still go ahead and create a server certificate or should I use the one from Go-Daddy for both the server and Netscaler?
For internal use you can use your own certificate authority, if you need access externally, you need to have a public trusted SSL certificate for on your NetScaler.
Many Thanks Robin …awesome article ..its really helpful.