User access options
Four different methods are available for users to access StoreFront stores.
- Citrix Receiver - Users with compatible versions of Citrix Receiver can access StoreFront stores within the Citrix Receiver user interface. Accessing stores within Citrix Receiver provides the best user experience and the greatest functionality.
- Citrix Receiver for Web sites - Users with compatible web browsers can access StoreFront stores by browsing to Citrix Receiver for Web sites. By default, users also require a compatible version of Citrix Receiver to access their desktops and applications. However, you can configure your Citrix Receiver for Web sites to enable users with HTML5-compatible browsers to access their resources without installing Citrix Receiver. When you create a new store, a Citrix Receiver for Web site is created for the store by default.
- Desktop Appliance sites - Users with non-domain-joined desktop appliances can access their desktops through the web browsers on their appliances, which are configured to access Desktop Appliance sites in full-screen mode. When you create a new store for a XenDesktop deployment using Citrix Studio, a Desktop Appliance site is created for the store by default.
- XenApp Services URLs - Users of domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock, along with users who have older Citrix clients that cannot be upgraded, can access stores using the XenApp Services URL for the store. When you create a new store, the XenApp Services URL is enabled by default.
The figure shows the options for users to access StoreFront stores:
Citrix Receiver
Accessing stores from within the Citrix Receiver user interface provides the best user experience and the greatest functionality. For the Citrix Receiver versions that can be used to access stores in this way, see System Requirements.
Citrix Receiver uses internal and external URLs as beacon points. By attempting to contact these beacon points, Citrix Receiver can determine whether users are connected to local or public networks. When a user accesses a desktop or application, the location information is passed to the server providing the resource so that appropriate connection details can be returned to Citrix Receiver. This enables Citrix Receiver to ensure that users are not prompted to log on again when they access a desktop or application. For more information, see Configure beacon points.
After installation, Citrix Receiver must be configured with connection details for the stores providing users’ desktops and applications. You can make the configuration process easier for your users by providing them with the required information in one of the following ways.
Important: By default, Citrix Receiver requires HTTPS connections to stores. If StoreFront is not configured for HTTPS, users must carry out additional configuration steps to use HTTP connections. Citrix strongly recommends that you do not enable unsecured user connections to StoreFront in a production environment. For more information, see Configure and install Citrix Receiver for Windows using command-line parameters in the Citrix Receiver for Windows documentation.
Provisioning files
You can provide users with provisioning files containing connection details for their stores. After installing Citrix Receiver, users open the .cr file to automatically configure accounts for the stores. By default, Citrix Receiver for Web sites offer users a provisioning file for the single store for which the site is configured. You could instruct your users to visit the Receiver for Web sites for the stores they want to access and download provisioning files from those sites. Alternatively, for a greater level of control, you can use the Citrix StoreFront management console to generate provisioning files containing connection details for one or more stores. You can then distribute these files to the appropriate users. For more information, see Export store provisioning files for users.
Auto-generated setup URLs
For users running Mac OS, you can use the Citrix Receiver for Mac Setup URL Generator to create a URL containing connection details for a store. After installing Citrix Receiver, users click on the URL to configure an account for the store automatically. Enter details of your deployment into the tool and generate a URL that you can distribute to your users.
Manual configuration
More advanced users can create new accounts by entering store URLs into Citrix Receiver. Remote users accessing StoreFront through NetScaler Gateway 10.1 and Access Gateway 10 enter the appliance URL. Citrix Receiver obtains the required account configuration information when the connection is first established. For connections through Access Gateway 9.3, users cannot set up accounts manually and must use one of the alternative methods above. For more information, see the Citrix Receiver documentation.
Email-based account discovery
Users who install Citrix Receiver on a device for the first time can set up accounts by entering their email addresses, provided that they download Citrix Receiver from the Citrix website or a Citrix Receiver download page hosted within your internal network. You configure Service Location (SRV) locator resource records for NetScaler Gateway or StoreFront on your Microsoft Active Directory Domain Name System (DNS) server. Users do not need to know the access details for their stores, instead they enter their email addresses during the Citrix Receiver initial configuration process. Citrix Receiver contacts the DNS server for the domain specified in the email address and obtains the details you added to the SRV resource record. Users are then presented with a list of stores that they can access through Citrix Receiver.
Configure email-based account discovery
Configure email-based account discovery to enable users who install Citrix Receiver on a device for the first time to set up their accounts by entering their email addresses. Provided that they download Citrix Receiver from the Citrix website or a Citrix Receiver download page hosted within your internal network, users do not need to know the access details for their stores when they install and configure Citrix Receiver. Email-based account discovery is available if Citrix Receiver is downloaded from any other location, such as a Receiver for Website. Note that ReceiverWeb.exe or ReceiverWeb.dmg downloaded from Citrix Receiver for Web does not prompt users to configure a store. Users can still use Add Account and enter their email address
During the initial configuration process, Citrix Receiver prompts users to enter either an email address or a store URL. When a user enters an email address, Citrix Receiver contacts the Microsoft Active Directory Domain Name System (DNS) server for the domain specified in the email address to obtain a list of available stores from which the user can select.
To enable Citrix Receiver to locate available stores on the basis of users’ email addresses, you configure Service Location (SRV) locator resource records for NetScaler Gateway or StoreFront on your DNS server. As a fallback, you can also deploy StoreFront on a server named “discoverReceiver.domain,” where domain is the domain containing your users’ email accounts. If no SRV record is found in the specified domain, Citrix Receiver searches for a machine named “discoverReceiver” to identify a StoreFront server.
You must install a valid server certificate on the NetScaler Gateway appliance or StoreFront server to enable email-based account discovery. The full chain to the root certificate must also be valid. For the best user experience, install a certificate with a Subject or Subject Alternative Name entry of discoverReceiver.domain,where domain is the domain containing your users’ email accounts. Although you can use a wildcard certificate for the domain containing your users’ email accounts, you must first ensure that the deployment of such certificates is permitted by your corporate security policy. Other certificates for the domain containing your users’ email accounts can also be used, but users will see a certificate warning dialog box when Citrix Receiver first connects to the StoreFront server. Email-based account discovery cannot be used with any other certificate identities.
To enable email-based account discovery for users connecting from outside the corporate network, you must also configure NetScaler Gateway with the StoreFront connection details. For more information, see Connecting to StoreFront by Using Email-Based Discovery.
Add an SRV record to your DNS server
-
On the Windows Start screen, click Administrative Tools and, in the Administrative Tools folder, click DNS.
-
In the left pane of DNS Manager, select your domain in the forward or reverse lookup zones. Right-click the domain and select Other New Records.
-
In the Resource Record Type dialog box, select Service Location (SRV) and then click Create Record.
-
In the New Resource Record dialog box, enter in the Service box the host value _citrixreceiver.
-
Enter in the Protocol box the value _tcp.
-
In the Host offering this service box, specify the fully qualified domain name (FQDN) and port for your NetScaler Gateway appliance (to support both local and remote users) or StoreFront server (to support local users only) in the form* servername.domain:port*.
If your environment includes both internal and external DNS servers, you can add a SRV record specifying the StoreFront server FQDN on your internal DNS server and another record on your external server specifying the NetScaler Gateway FQDN. With this configuration, local users are provided with the StoreFront details, while remote users receive NetScaler Gateway connection information.
-
If you configured an SRV record for your NetScaler Gateway appliance, add the StoreFront connection details to NetScaler Gateway in a session profile or global setting.
Citrix Receiver for Web sites
Users with compatible web browsers can access StoreFront stores by browsing to Citrix Receiver for Web sites. When you create a new store, a Citrix Receiver for Web site is automatically created for the store. The default configuration for Citrix Receiver for Web sites requires that users install a compatible version of Citrix Receiver to access their desktops and applications. For more information about the Citrix Receiver and web browser combinations that can be used to access Citrix Receiver for Web sites, see User device requirements.
By default, when a user accesses a Citrix Receiver for Web site from a computer running Windows or Mac OS X, the site attempts to determine whether Citrix Receiver is installed on the user’s device. If Citrix Receiver cannot be detected, the user is prompted to download and install the appropriate Citrix Receiver for their platform. The default download location is the Citrix website, but you can also copy the installation files to the StoreFront server and provide users with these local files instead. Storing the Citrix Receiver installation files locally enables you to configure the site to offer users with older clients the option to upgrade to the version on the server. For more information about configuring deployment of Citrix Receiver for Windows and Citrix Receiver for Mac, see Configure Citrix Receiver for Web sites.
Citrix Receiver for HTML5
Citrix Receiver for HTML5 is a component of StoreFront that is integrated by default with Citrix Receiver for Web sites. You can enable Citrix Receiver for HTML5 on your Citrix Receiver for Web sites so that users who cannot install Citrix Receiver can still access their resources. With Citrix Receiver for HTML5, users can access desktops and applications directly within HTML5-compatible web browsers without needing to install Citrix Receiver. When a site is created, Citrix Receiver for HTML5 is disabled by default. For more information about enabling Citrix Receiver for HTML5, see citrix-receiver-download-page-template.html.
To access their desktops and applications using Citrix Receiver for HTML5, users must access the Citrix Receiver for Web site with an HTML5-compatible browser. For more information about the operating systems and web browsers that can be used with Citrix Receiver for HTML5, see User device requirements.
Citrix Receiver for HTML5 can be used by both users on the internal network and remote users connecting through NetScaler Gateway. For connections from the internal network, Citrix Receiver for HTML5 only supports access to desktops and applications provided by a subset of the products supported by Citrix Receiver for Web sites. Users connecting through NetScaler Gateway can access resources provided by a wider range of products if you chose Citrix Receiver for HTML5 as an option when configuring StoreFront. Specific versions of NetScaler Gateway are required for use with Citrix Receiver for HTML5. For more information, see Infrastructure requirements.
For local users on the internal network, access through Citrix Receiver for HTML5 to resources provided by XenDesktop and XenApp is disabled by default. To enable local access to desktops and applications using Citrix Receiver for HTML5, you must enable the ICA WebSockets connections policy on your XenDesktop and XenApp servers. Ensure your firewalls and other network devices permit access to the Citrix Receiver for HTML5 port specified in the policy. For more information, see WebSockets policy settings.
By default, Citrix Receiver for HTML5 starts desktops and applications in a new browser tab. However, when users start resources from shortcuts using Citrix Receiver for HTML5, the desktop or application replaces the Citrix Receiver for Web site in the existing browser tab rather than appearing in a new tab. You can configure Citrix Receiver for HTML5 so that resources are always started in the same tab as the Receiver for Web site. For more information, see Configure Citrix Receiver for HTML5 use of browser tabs.
Resource shortcuts
You can generate URLs that provide access to desktops and applications available through Citrix Receiver for Web sites. Embed these links on websites hosted on the internal network to provide users with rapid access to resources. Users click on a link and are redirected to the Receiver for Web site, where they log on if they have not already done so. The Citrix Receiver for Web site automatically starts the resource. In the case of applications, users are also subscribed to the application if they have not subscribed previously. For more information about generating resource shortcuts, see Configure Citrix Receiver for Web sites.
As with all desktops and applications accessed from Citrix Receiver for Web sites, users must either have installed Citrix Receiver or be able to use Citrix Receiver for HTML5 to access resources through shortcuts. The method used by a Citrix Receiver for Web site depends on the site configuration, on whether Citrix Receiver can be detected on users’ devices, and on whether an HTML5-compatible browser is used. For security reasons, Internet Explorer users may be prompted to confirm that they want to start resources accessed through shortcuts. Instruct your users to add the Receiver for Web site to the Local intranet or Trusted sites zones in Internet Explorer to avoid this extra step. By default, both workspace control and automatic desktop starts are disabled when users access Citrix Receiver for Web sites through shortcuts.
When you create an application shortcut, ensure that no other applications available from the Citrix Receiver for Web site have the same name. Shortcuts cannot distinguish between multiple instances of an application with the same name. Similarly, if you make multiple instances of a desktop from a single desktop group available from the Citrix Receiver for Web site, you cannot create separate shortcuts for each instance. Shortcuts cannot pass command-line parameters to applications.
To create application shortcuts, you configure StoreFront with the URLs of the internal websites that will host the shortcuts. When a user clicks on an application shortcut on a website, StoreFront checks that website against the list of URLs you entered to ensure that the request originates from a trusted website. However, for users connecting through NetScaler Gateway, websites hosting shortcuts are not validated because the URLs are not passed to StoreFront. To ensure that remote users can only access application shortcuts on trusted internal websites, configure NetScaler Gateway to restrict user access to only those specific sites. For more information, see http://support.citrix.com/article/CTX123610.
Customize your sites
Citrix Receiver for Web sites provide a mechanism for customizing the user interface. You can customize strings, the cascading style sheet, and the JavaScript files. You can also add a custom pre-logon or post-logon screen, and add language packs.
Important considerations
Users accessing stores through a Citrix Receiver for Web site benefit from many of the features available with store access within Citrix Receiver, such as application synchronization. When you decide whether to use Citrix Receiver for Web sites to provide users with to access your stores, consider the following restrictions.
- Only a single store can be accessed through each Citrix Receiver for Web site.
- Citrix Receiver for Web sites cannot initiate Secure Sockets Layer (SSL) virtual private network (VPN) connections. Users logging on through NetScaler Gateway without a VPN connection cannot access web applications for which App Controller requires that such a connection is used.
- Subscribed applications are not available on the Windows Start screen when accessing a store through a Citrix Receiver for Web site.
- File type association between local documents and hosted applications accessed through Citrix Receiver for Web sites is not available.
- Offline applications cannot be accessed through Citrix Receiver for Web sites.
- Citrix Receiver for Web sites do not support Citrix Online products integrated into stores. Citrix Online products must be delivered with App Controller or made available as hosted applications to enable access through Citrix Receiver for Web sites.
- Citrix Receiver for HTML5 can be used over HTTPS connections if the VDA is XenApp 7.6 or XenDesktop 7.6 and has SSL enabled or if the user is connecting using NetScaler Gateway.
- To use Citrix Receiver for HTML5 with Mozilla Firefox over HTTPS connections, users must type about:config in the Firefox address bar and set the network.websocket.allowInsecureFromHTTPS preference to true.
Desktop Appliance sites
Users with non-domain-joined desktop appliances can access their desktops through Desktop Appliance sites. Non-domain-joined in this context means devices that are not joined to a domain within the Microsoft Active Directory forest containing the StoreFront servers.
When you create a new store for a XenDesktop deployment using Citrix Studio, a Desktop Appliance site is created for the store by default. Desktop Appliance sites are only created by default when StoreFront is installed and configured as part of a XenDesktop installation. You can create Desktop Appliance sites manually using Windows PowerShell commands. For more information, see Configure Desktop Appliance sites.
Desktop Appliance sites provide a user experience that is similar to logging on to a local desktop. The web browsers on desktop appliances are configured to start in full-screen mode displaying the logon screen for a Desktop Appliance site. When a user logs on to a site, by default, the first desktop (in alphabetical order) available to the user in the store for which the site is configured starts automatically. If you provide users with access to multiple desktops in a store, you can configure the Desktop Appliance site to display the available desktops so users can choose which one to access. For more information, see Configure Desktop Appliance sites.
When a user’s desktop starts, it is displayed in full-screen mode, obscuring the web browser. The user is automatically logged out from the Desktop Appliance site. When the user logs off from the desktop, the web browser, displaying the Desktop Appliance site logon screen, is visible again. A message is displayed when a desktop is started, providing a link for the user to click to restart the desktop if it cannot be accessed. To enable this functionality, you must configure the Delivery Group to enable users to restart their desktops. For more information, see Delivery groups.
To provide access to desktops, a compatible version of Citrix Receiver is required on the desktop appliance. Typically, XenDesktop-compatible appliance vendors integrate Citrix Receiver into their products. For Windows appliances, the Citrix Desktop Lock must also be installed and configured with the URL for your Desktop Appliance site. If Internet Explorer is used, the Desktop Appliance site must be added to the Local intranet or Trusted sites zones. For more information about the Citrix Desktop Lock, see Prevent user access to the local desktop.
Important considerations
Desktop Appliance sites are intended for local users on the internal network accessing desktops from non-domain-joined desktop appliances. When you decide whether to use Desktop Appliance sites to provide users with access to your stores, consider the following restrictions.
- If you plan to deploy domain-joined desktop appliances and repurposed PCs, do not configure them to access stores through Desktop Appliance sites. Though you can configure Citrix Receiver with the XenApp Services URL for the store, we recommend the new Desktop Lock for both domain-joined and nondomain-joined use cases. For more information, see Citrix Receiver Desktop Lock.
- Desktop Appliance sites do not support connections from remote users outside the corporate network. Users logging on to NetScaler Gateway cannot access Desktop Appliance sites.
XenApp Services URLs
Users with older Citrix clients that cannot be upgraded can access stores by configuring their clients with the XenApp Services URL for a store. You can also enable access to your stores through XenApp Services URLs from domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock. Domain-joined in this context means devices that are joined to a domain within the Microsoft Active Directory forest containing the StoreFront servers.
StoreFront supports pass-through authentication with proximity cards through Citrix Receiver to XenApp Services URLs. Citrix Ready partner products use the Citrix Fast Connect API to streamline user logons through Citrix Receiver for Windows to connect to stores using the XenApp Services URL. Users authenticate to workstations using proximity cards and are rapidly connected to desktops and applications provided by XenDesktop and XenApp. For more information, see the most recent Citrix Receiver for Windows documentation.
When you create a new store, the XenApp Services URL for the store is enabled by default. The XenApp Services URL for a store has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml, where serveraddress is the fully qualified domain name of the server or load balancing environment for your StoreFront deployment and storename is the name specified for the store when it was created. This allows Citrix Receivers that can only use the PNAgent protocol to connect to Storefront. For the clients that can be used to access stores through XenApp Services URLs, see User device requirements.
Important considerations
XenApp Services URLs are intended to support users who cannot upgrade to Citrix Receiver and for scenarios where alternative access methods are not available. When you decide whether to use XenApp Services URLs to provide users with access to your stores, consider the following restrictions.
- You cannot modify the XenApp Services URL for a store.
- You cannot modify XenApp Services URL settings by editing the configuration file, config.xml.
- XenApp Services URLs support explicit, domain pass-through, smart card authentication, and pass-through with smart card authentication. Explicit authentication is enabled by default. Only one authentication method can be configured for each XenApp Services URL and only one URL is available per store. If you need to enable multiple authentication methods, you must create separate stores, each with a XenApp Services URL, for each authentication method. Your users must then connect to the appropriate store for their method of authentication. For more information, see XML-based authentication.
- Workspace control is enabled by default for XenApp Services URLs and cannot be configured or disabled.
- User requests to change their passwords are routed to the domain controller directly through the XenDesktop and XenApp servers providing desktops and applications for the store, bypassing the StoreFront authentication service.