With the release of Storefront 3.1, Citrix made alot of options which were earlier only available in PowerShell or a configfile available in the GUI, which makes alot more sense since WebInterface has always had alot of options available in the GUI. Now I was a bit dazzled with the numerous options that are available, so what do they all mean?? Hence this post which is used to explain what the different options do, and even what error messages that bit appear because of them.
First of let’s explore the store options in Storefront.
User Subscription (This defines if users are allowed to Subscribe to applications or if applications are being mandatory)
For instance Self-service store (GUI Changes to this)
Mandatory Store (GUI Changes to this)
Kerberos Delegation (Allows ut to use Kerberos Constrained Delegation from StoreFront to Controllers) http://docs.citrix.com/en-us/storefront/3-1/configure-authentication-and-delegation/sf-configure-kcd.html
Optimal HDX Routing (Defines if ICA traffic should be routed to Netscaler Gateway even if users are going directly to the StoreFront) We can define a Gateway and attach it to a Farm/Controller, so if we have multiple controllers on different geographic regions we can specify multiple gateways and attach it to the correct delivery controller.
We can also define Direct Access (Which we can enable for each Optimal Gateway) which defines if users which are trying to authenticate internally direct against storefront will also have traffic redirected to the Gateway.
We can also define Optimal Gateway and attach it with Stores which are part of😄 7.7
Citrix Online Integration (Defines if GoTo applications should appear in the Store)
Advertise Store (Defines if the Store should be available to select from Citrix Receiver client, if we choose to hide the Store the only way to access the store is to setup manually, or using provisioning file)
Advanced Settings (Address Resolution Type: Defines which type of address the XML service will respond to Storefront with, by default it is DNS based return, or we can change this to IPv4)
Allow font smoothing: Defines if font smoothing should be enabled in the ICA session
Allow Session Reconnect: Also known as Workspace control, which defines if users can reconnect to existing sessions without restart applications
Allow special folder redirection: Defines if \Document & \Desktops on the local computer should be used in the redirected session. By default the servers profile \Documents \Desktop folder are used
Time-out: Define how long time it should go before the connection times out.
Enable Desktop Viewer: Defines if the Desktop Viewer should be visible in the connection
Enable Enhanced Enumeration: If we have a Storefront configured with mulitple stores, Storefront will contact these Stores in sequencial so if there are alot of resouces this might take some time. With Enhanced Enumeration, Storefront will contact these Stores in Parralell
Maximum Concurrent enumerations: How many concurrent enumeration connections to the Store resources, by default this is 0 which means unlimited
Override ICA client name: Overrides the default ICA client name
Require token consistency: Validates authenticaiton attempts on the Netscaler Gateway and on the Storefront Server, this must be enabled if we want to use Smart Access. This is typically disabled if we want to disable authentication on the Netscaler and do authentication directly to the Storefront server http://support.citrix.com/article/CTX200066
Server Communication attempts: How many times Storefront should try to communicate with a Controller before it marks it at down (default: 1)
Next we also have web site receiver configuration in Storefront
Receiver Experience (If we should use the regular Green bubble theme or using the unified experience) Disabling classic experience will also give other options such as configuring apperance as well.
Authentication methods (Defines what kind of authentications we can use against Storefront)
If you wish to add Storefront to another web portal using for instance as an iFrame(will be shown as this)
you need to enter the URL which is allowed to connect to Storefront as an iFrame in the WebSite Shourtcuts.
Deploy Citrix Receiver (what kind of Receiver should Storefront offer to the authenticated user)
And if we choose install locally we have a number of options
Session settings (How long a session is active before it times out against Storefront)
Workspace Control (What should do if a clients is inactive/logs out) Here we can define so that if a user moves from one device to another the user should reconnect to their existing session)
Client interface settings (Here we can define certion options such as, if a desktop should be auto launched, if Desktop viewer should be enabled, if users are allowed to download Receiver configuraiton from within Receiver for web, and also what kind of panes should be default and shown within Receiver for web)
Enable Fiddler Tracing: Enables use of fiddler between Receiver for web and other storefront services. Loopback must also be disable.
Enable Folder view: If folders should be used in Receiver for web
Enable loopback communication: Storefront uses 127.0.0.1 adapter for communication between Receiver for web and other storefront services
Enable protcol handler: Enables use of client detection in Google Chrome
Enable strict transport security: Enables the use of HSTS
ICA file cache expiry: The amount of seconds before an ICA file should be stored in memory
Icon resolution: Default pixel size of an application
Loopback port when using HTTP: Which port should be used for communicaiton with loopback adapter for other storefront services
Prompt for untrusted shortcuts: Prompt the user for permissions to launch apps shortcuts from sites that have not been directly setup as trusted.
Strict transport security policy duration: Time policy for HSTS
No last but not least there are some new interesting features on the authentication site, first of there is the password expiration option under Password Options
When a user logs inn it will look like this.
Another new option is the Password validation feature, in a regular scenario we might now have storefront in the same domain as Xenapp or XenDesktop services, and we might not always be able to setup Active directory trusts, instead we need to setup XML service-based authentication, which will allow Storefront to communicate with XML instead of Active Directory and leave the autheticaiton process to the DDCs. Which is typically the case if we have multi-tenant enviroments.
Another option that we have is when defining Gateways in Storefront, we can now define if Gateways should have the role of HDX routing only, Authenticaiton only or both. If we choose HDX routing only, we cannot use this gateway for remote access for the store.
As we see here (It does not show) The reason for that is that if we want a regular ICA proxy setup to work with Receiver for web and regular receiver we need to configure auth at the Gateway, which means that we need to define auth at the Gateway to be able to use it for remote access against the store.
The latest COOL features which is now part of the GUI Storefront is the ability to do User farm mapping. Which in essence Is used to assign a group of users to a selection of Sites/farms. So if we have multiple farms we can define a certain group of users which should be mapped to that farm. This is done on the controller settings
Then choose map users to controllers
Define AD group
Then define which controllers it should contact to display resources.
And voila! alot of cool new features in the TP which I makes it to GA soon!
There are some bugs in the GUI but I think we have a fully WI replacement!