User access options
Three different methods are available for users to access StoreFront stores.
- Locally installed Citrix Workspace app - Users with compatible versions of Citrix Workspace app can access StoreFront stores within the Citrix Workspace app user interface. This provides the best user experience and the greatest functionality.
- Web browser - Users with compatible web browsers can access StoreFront stores by browsing to the store’s website. By default, users also require a compatible version of Citrix Workspace app to access their desktops and applications, known as hybrid launch. However, you can configure your website to enable users to access their resources through their browser without installing Citrix Workspace app.
- XenApp Services URLs - Users who have legacy Citrix clients that cannot be upgraded, can access stores using the XenApp Services URL for the store. When you create a new store, the XenApp Services URL is enabled by default.
Locally installed Citrix Workspace app
Accessing stores from the locally installed Citrix Workspace app provides the best and most secure user experience. For the Citrix Workspace app versions that can be used to access stores in this way, see System Requirements.
Citrix Workspace app uses internal and external URLs as beacon points. By attempting to contact these beacon points, Citrix Workspace app can determine whether users are connected to local or public networks. When a user accesses a desktop or application, the location information is passed to the server providing the resource so that appropriate connection details can be returned to Citrix Workspace app. This enables Citrix Workspace app to ensure that users are not prompted to log on again when they access a desktop or application. For more information, see Configure beacon points.
Add Store to Workspace App
After installation, Citrix Workspace app must be configured with connection details for the stores providing users’ desktops and applications. You can make the configuration process easier for your users by providing them with the required information in one of the following ways.
Important:
By default, Citrix Workspace app requires HTTPS connections to stores. If StoreFront is not configured for HTTPS, users must carry out additional configuration steps to use HTTP connections. Citrix strongly recommends that you do not enable unsecured user connections to StoreFront in a production environment. For more information, see Store configuration parameters in the Citrix Workspace app for Windows documentation.
Manual configuration
Users can connect Citrix Workspace app to their store by entering the store URLs into Citrix Workspace app. For more information, see the Citrix Workspace app documentation.
Provisioning files
You can provide users with provisioning files containing connection details for their stores. After installing Citrix Workspace app, users open the .cr file to automatically configure accounts for the stores. By default, the website offers users a provisioning file for the single store for which the site is configured. You could instruct your users to visit the websites for the stores they want to access and download provisioning files from those sites. Alternatively, for a greater level of control, you can use the Citrix StoreFront management console to generate provisioning files containing connection details for one or more stores. You can then distribute these files to the appropriate users. For more information, see Export store provisioning files for users.
Auto-generated setup URLs
For users running macOS, you can use the Citrix Workspace app for Mac Setup URL Generator to create a URL containing connection details for a store. After installing Citrix Workspace app, users click on the URL to configure an account for the store automatically. Enter details of your deployment into the tool and generate a URL that you can distribute to your users.
Email-based account discovery
With email-based account discovery, instead of needing to know the access details for their stores, users enter their email addresses during the Citrix Workspace app initial configuration process. For details of how to set this up see Email based account discovery.
Global App Config Service
Use the Global App Config Service to configure Citrix Workspace app for your StoreFront stores. See Configure settings for on-premises stores.
Web browser
As an alternative to using a locally installed Workspace app, users can access their store through a web browser. When users come to launch their resources there are two possibilities.
-
Resources launch within locally installed Citrix Workspace app. This is known as a hybrid launch. This gives users the best experience as it can take advantage of full operating system integration. For more details see Hybrid launch
-
Resources launch within the browser. This makes it possible for users to access resources without needing to install any software locally.
The default configuration is to require that Citrix Workspace app is installed locally for a hybrid launch. You can change the configuration to either always launch resources in the browser or to give the user the choice. See Deploy Workspace app.
If the admin selected Use Receiver for HTML5 if local Receiver is unavailable then when the user first opens the store website in their browser, the user has the option to click Use Light Version to launch resources within their web browser.
Requirements for opening resources in your browser
For users on the internal network, access through a web browser to resources provided by Citrix Virtual Apps and Desktops is disabled by default. To enable local access to desktops and applications using a web browser, enable the ICA WebSockets connections policy on your Citrix Virtual Apps and Desktops servers. Citrix Virtual Apps and Desktops uses port 8008 for Citrix Workspace app for HTML5 connections. Ensure your firewalls and other network devices permit access to this port. For more information, see WebSockets policy settings.
For Citrix Virtual Apps and Desktops resource launches to succeed, configure the TLS connections to the VDAs that host apps and desktops. Remote connections through a Citrix Gateway can launch resources using Citrix Workspace app for HTML5 without configuring TLS connections to the VDA.
Hybrid Launch
When users first open a store in their web browser but launch apps within the locally installed Citrix Workspace app, this is known as hybrid launch. There are a number of ways in which the web site can communicate with the locally installed Workspace app to launch resources.
Citrix Workspace web extensions
For the best user experience, deploy Citrix Workspace web extensions. These are extensions for commonly used web browsers that improve the user experience for detecting the locally installed Citrix Workspace app and launching virtual apps and desktops. Compared to Citrix Workspace launcher, this provides a better user experience and avoids issues with global server load balancers.
To enable the browser extension-based client detection:
- Enable the feature on the StoreFront server.
- Deploy the browser extension on the client devices.
- Deploy Citrix Workspace app for Windows 2303, Mac 2304 or Linux 2302 or higher.
The first time a user goes to a store website on a supported platform, it prompts the user to detect the locally installed Workspace app. It first tries to use the web extension and if this fails then it tries Citrix Workspace Launcher. Existing users who have already completed Workspace app detection can go to Account Settings, click Change Citrix Workspace app to re-detect workspace app.
Important
This feature is enabled by default for new installations. However, if you are upgrading from a previous version, you need to enable this feature manually. Administrators can enable this feature using the following PowerShell script on a StoreFront server:
Add-STFFeatureState -Name "Citrix.StoreFront.EnableBrowserExtension" -IsEnabled $True
Citrix Workspace launcher
When the user first goes to a StoreFront web site with a supported operating system and browser and Citrix Workspace web extensions are not installed, it attempts to invoke the Citrix Workspace Launcher. The browser might prompt the user for confirmation, for example:
If a supported version of Citrix Workspace app is installed then the app notifies StoreFront. The browser remembers this and when it launches an app it uses Citrix Workspace Launcher.
The store web site invokes Citrix Workspace Launcher on Windows, Mac and Linux with when using the following browsers:
- Firefox 52 or higher
- Chrome 42 or higher
- Safari 12 or higher
- Edge 25 or higher
Citrix Workspace Launcher requires the following minimum versions of Citrix Receiver or Citrix Workspace app.
- Receiver for Windows 4.3 or higher
- Receiver for Mac 12.0 or higher
- Workspace app for Linux 2003 or higher
If the Workspace app launcher is not available, or the user does not allow it to open, then it will not be able to detect the locally installed Citrix Workspace app. The user has the option to try again, or to click Already Installed, in which case it falls back to launching apps using ICA file downloads. The user can later try again by going to the Settings screen and clicking Change Citrix Workspace app.
If you are using multiple active StoreFront server groups behind a global server load balancer then Citrix Workspace launcher may fail intermittently. To avoid this you must configure your global server load balancer to force the user web session to be persistent to one StoreFront server group for the lifetime of the client detection process, see CTX460312. Alternatively deploy Citrix Workspace web extensions.
When connecting to the website via a Citrix Gateway The Citrix Workspace launcher uses the gateway’s HDX routing to proxy requests from Citrix Workspace app back to the StoreFront server. If the gateway is configured for Authentication only (not HDX routing) then Citrix Workspace Launcher does not work. Either enable HDX routing or deploy Citrix Workspace web extensions.
Internet Explorer
The first time the user opens the store web site in Internet Explorer, it prompts the user to install Citrix Workspace app which includes the Citrix ICA Client Add-on for Internet Explorer. Once the plugin is installed, this is used to launch apps and desktops through the locally installed Citrix Workspace app.
ICA file downloads
If the website is unable to detect a locally installed Citrix Workspace app by any other means, or the user clicks Already installed, then when a user launches an app or desktop then it downloads a .ica file. The user can open this file with the locally installed Citrix Workspace app. As storing ICA files on disk is a security risk, this option can be disabled, for more information see Deploy Citrix Workspace app.
Resource shortcuts
You can generate URLs that provide access to desktops and applications available in your store. Embed these links on websites hosted on the internal network to provide users with rapid access to resources. Users click on a link and are redirected to the store website, where they log on if they have not already done so. The store website automatically starts the resource. For more information about generating resource shortcuts, see Website shortcuts.
When you create an application shortcut, ensure that no other applications available from the store have the same name. Shortcuts cannot distinguish between multiple instances of an application with the same name. Similarly, if you make multiple instances of a desktop from a single desktop group available from the store, you cannot create separate shortcuts for each instance. Shortcuts cannot pass command-line parameters to applications.
To create application shortcuts, you configure StoreFront with the URLs of the internal websites that will host the shortcuts. When a user clicks on an application shortcut on a website, StoreFront checks that website against the list of URLs you entered to ensure that the request originates from a trusted website.
Customize the user interface
Citrix StoreFront provides a mechanism for customizing the user interface. These apply whether accessing a store through Citrix Workspace app or a web browser. You can customize strings, the cascading style sheet, and the JavaScript files. You can also add a custom pre-logon or post-logon screen, and add language packs. For more information see Customize Appearance.
XenApp Services URLs
Note:
XenApp Services (also known as PNAgent) is deprecated. It is recommended that you use Citrix Workspace app to connect to StoreFront using a Store URL.
Users with older Citrix clients that cannot be upgraded can access stores by configuring their clients with the XenApp Services URL for a store. You can also enable access to your stores through XenApp Services URLs from domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock. Domain-joined in this context means devices that are joined to a domain within the Microsoft Active Directory forest containing the StoreFront servers.
StoreFront supports pass-through authentication with proximity cards through Citrix Workspace app to XenApp Services URLs. Citrix Ready partner products use the Citrix Fast Connect API to streamline user logons through Citrix Receiver for Windows or Citrix Workspace app for Windows to connect to stores using the XenApp Services URL. Users authenticate to workstations using proximity cards and are rapidly connected to desktops and applications provided by Citrix Virtual Apps and Desktops. For more information, see the most recent Citrix Workspace for Windows documentation.
When you create a new store, the XenApp Services URL for the store is enabled by default. The XenApp Services URL for a store has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml
, where serveraddress
is the fully qualified domain name of the server or load balancing environment for your StoreFront deployment and storename
is the name specified for the store when it was created. This allows Citrix Workspace apps that can only use the PNAgent protocol to connect to Storefront. For the clients that can be used to access stores through XenApp Services URLs, see User device requirements.
Important considerations
XenApp Services URLs are intended to support users who cannot upgrade to Citrix Workspace app and for scenarios where alternative access methods are not available. When you decide whether to use XenApp Services URLs to provide users with access to your stores, consider the following restrictions.
- You cannot modify the XenApp Services URL for a store.
- You cannot modify XenApp Services URL settings by editing the configuration file, config.xml.
- XenApp Services URLs support explicit, domain pass-through, smart card authentication, and pass-through with smart card authentication. Explicit authentication is enabled by default. Only one authentication method can be configured for each XenApp Services URL and only one URL is available per store. If you need to enable multiple authentication methods, you must create separate stores, each with a XenApp Services URL, for each authentication method. Your users must then connect to the appropriate store for their method of authentication. For more information, see XML-based authentication.
- Workspace control is enabled by default for XenApp Services URLs and cannot be configured or disabled.
- User requests to change their passwords are routed to the domain controller directly through the Citrix Virtual Apps and Desktops servers providing desktops and applications for the store, bypassing the StoreFront authentication service.