Citrix Cloud On Premise Storefront
Citrix Cloud will help you manage your Citrix workloads located on public clouds such as Microsoft Azure (preferred partner), Amazon AWS or Google Cloud and more. Citrix started to develop this platform in 2015 now supports most of its products.
- Citrix Cloud On Premise Storefront Free
- Citrix Cloud On Premise Storefront Solutions
- Citrix Cloud On Premise Storefront Desktop
- The StoreFront servers need to communicate with Cloud Connectors for resource enumeration from Citrix Cloud. The Cloud Connectors are installed with SSL certificates to ensure that the XML and STA traffic is encrypted and secure. Configure the store on StoreFront Servers with Cloud Connectors.
- Citrix strongly recommends installing the latest version of the StoreFront server for on-premises deployments. The StoreFront server must be a minimum of version 3.12. Ensure that the StoreFront servers requesting tickets and the Virtual Delivery Agents (VDAs) redeeming tickets have the identical configuration of FAS DNS addresses.
- Scenario: A Citrix Administrator is enabling TLS Secure connections between the Cloud Connectors and on-premises StoreFront. After configuring the TLS certificate on all Cloud Connectors and disabling HTTP connections, the administrator finds that no resources are being enumerated.
- Scenario: A Citrix Administrator is enabling TLS Secure connections between the Cloud Connectors and on-premises StoreFront. After configuring the TLS certificate on all Cloud Connectors and disabling HTTP connections, the administrator finds that no resources are being enumerated. Which extra step does the administrator need to take to allow enumeration to work between on-premises.
downloadWhy can't I download this file?For application/desktop launch, you have to access StoreFront URL not NetScaler Gateway. NetScaler Gateway is not doing any authentication here as it is acting as a proxy. Access the StoreFront URL on browser as:
Note: If you will check the downloaded ICA file, you will see SSL proxy host as NetScaler Gateway URL.
Note: If you will check the downloaded ICA file, you will see SSL proxy host as NetScaler Gateway URL.
downloadWhy can't I download this file?
4. Click next and change the “Bit length” to “2048”.
5. Specify the path and the name of the certificate request, and click 'Finish':
6. In Windows Explorer, navigate to the location from the previously saved certificate request, and open the text file in Notepad:
7. In a browser, preferably on same server where the IIS is used, navigate to the 'Certificate Authority Server' (http://yourserver/certsrv), and then click on 'Request a certificate':
8. Select “Advanced certificate request” option, and then “Submit a certificate request by using a base 64-encoded CMC or PKCS #10 file”:
9. Copy-paste the information from the Notepad that was opened in step #6. Make sure that at the end, the extra space is removed. In the “Certificate Template” drop-down menu, select “Web Server”, and click Submit:
10. After the certificate request, has been submitted, download page will be presented. Select “Base 64 encoded” and “Download certificate” is used.
11. To compete the certificate, navigate to the IIS and 'Server Certificates', and under the “Action” section, click on 'Complete Certificate Request':
12. In the new “Complete Certificate Request” popup windows, browse to the downloaded certificate file, give it “Friendly name” that will be recognizable:
13. In the IIS console the certificate name will appear as the Friendly name given in the previous step, and the certificate will be wild card certificate:
14. To export the certificate with the private key, open mmc console and add the “Certificates” snap-in for the local computer:
15. Previously we selected Personal store, and navigating to the store in the mmc we can locate the certificate:
16. To export the certificate and the private key, right click on the certificate and navigate to 'All tasks' and 'Export'. Click Next on the new 'Certificate Export' popup windows. On the next screen select 'Yes, export the private key', and click next:
17. Click next on the 'Export File Format' screen, without changing anything. That will open the Security screen where Password option should be selected, and password should be provided. Please remember this password, since it will be later used on the Citrix Cloud Connectors when importing the certificate. Click Next:
18. Select export location and give name to the certificate pfx file that will be exported. Click Next and Finish, to complete the export:
19. Move the certificate on the Cloud Connector, to import the certificate. Then double-click the certificate, and in the “Certificate Import Wizard”, select Local Machine:
20. Confirm that the 'Browse' is showing the correct pfx file, and click Next:
21. On 'Private key protection' window of the 'Certificate Import Wizard', enter the password from step 17. If there are plans on reusing the certificate, since it is wildcard certificate, make sure that checkbox next to 'Mark the key as exportable' is selected. Click next:
22. Select 'Place all certificates in the following store' and browsing to the 'Personal' store:
23. Click Next twice and Finish to complete the certificate import.
24. To confirm that the certificate has been properly installed, open mmc and add “Certificates” snap-in for local computer:
25. Navigate to the 'Personal' store and then 'Certificates'. The list of certificate should include the newly imported Cloud Connector certificate and the domain root certificate:
26. The root certificate should be also part of the 'Trusted root certificates':
27. Next task will consist of registering the SSL certificate for HTTPS on the Cloud Connector. For Windows Server 2008 and onwards, there is a built-in utility called netsh which allows to make SSL certificate bindings to a specific port. For more information, refer to the – Microsoft MSDN article How to: Configure a Port with an SSL Certificate.
28. In elevated Command Prompt, following command will be run:
'C:>netsh> http add sslcert ipport=<IP address>:<Port Number> certhash=<Certificate Hash Number> appid={<Citrix Broker Service GUID>}'
4. Make sure that Certificate Hash does not have spaces when entered in the netsh command.
5. To obtain the Citrix Broker Service GUID on the Cloud Connector, in the Registry Editor, select Find, and search for Citrix Broker Service. The search should return an entry in the following registry location HKEY_CLASSES_ROOTInstallerProducts.;
Citrix Cloud On Premise Storefront Free
3. Fill in the information as shown in the 'Request Certificate' popup window, while reflecting your company details. For the “Common name” of the certificate, we can use wildcard. This will eliminate the need of creating individual certificate for each Citrix Cloud Connector. Note: Please, follow your company security guidance when deciding if the wildcard cert will be used.4. Click next and change the “Bit length” to “2048”.
5. Specify the path and the name of the certificate request, and click 'Finish':
6. In Windows Explorer, navigate to the location from the previously saved certificate request, and open the text file in Notepad:
7. In a browser, preferably on same server where the IIS is used, navigate to the 'Certificate Authority Server' (http://yourserver/certsrv), and then click on 'Request a certificate':
8. Select “Advanced certificate request” option, and then “Submit a certificate request by using a base 64-encoded CMC or PKCS #10 file”:
9. Copy-paste the information from the Notepad that was opened in step #6. Make sure that at the end, the extra space is removed. In the “Certificate Template” drop-down menu, select “Web Server”, and click Submit:
10. After the certificate request, has been submitted, download page will be presented. Select “Base 64 encoded” and “Download certificate” is used.
11. To compete the certificate, navigate to the IIS and 'Server Certificates', and under the “Action” section, click on 'Complete Certificate Request':
12. In the new “Complete Certificate Request” popup windows, browse to the downloaded certificate file, give it “Friendly name” that will be recognizable:
13. In the IIS console the certificate name will appear as the Friendly name given in the previous step, and the certificate will be wild card certificate:
14. To export the certificate with the private key, open mmc console and add the “Certificates” snap-in for the local computer:
15. Previously we selected Personal store, and navigating to the store in the mmc we can locate the certificate:
16. To export the certificate and the private key, right click on the certificate and navigate to 'All tasks' and 'Export'. Click Next on the new 'Certificate Export' popup windows. On the next screen select 'Yes, export the private key', and click next:
17. Click next on the 'Export File Format' screen, without changing anything. That will open the Security screen where Password option should be selected, and password should be provided. Please remember this password, since it will be later used on the Citrix Cloud Connectors when importing the certificate. Click Next:
18. Select export location and give name to the certificate pfx file that will be exported. Click Next and Finish, to complete the export:
19. Move the certificate on the Cloud Connector, to import the certificate. Then double-click the certificate, and in the “Certificate Import Wizard”, select Local Machine:
20. Confirm that the 'Browse' is showing the correct pfx file, and click Next:
Citrix Cloud On Premise Storefront Solutions
21. On 'Private key protection' window of the 'Certificate Import Wizard', enter the password from step 17. If there are plans on reusing the certificate, since it is wildcard certificate, make sure that checkbox next to 'Mark the key as exportable' is selected. Click next:
22. Select 'Place all certificates in the following store' and browsing to the 'Personal' store:
23. Click Next twice and Finish to complete the certificate import.
24. To confirm that the certificate has been properly installed, open mmc and add “Certificates” snap-in for local computer:
25. Navigate to the 'Personal' store and then 'Certificates'. The list of certificate should include the newly imported Cloud Connector certificate and the domain root certificate:
26. The root certificate should be also part of the 'Trusted root certificates':
27. Next task will consist of registering the SSL certificate for HTTPS on the Cloud Connector. For Windows Server 2008 and onwards, there is a built-in utility called netsh which allows to make SSL certificate bindings to a specific port. For more information, refer to the – Microsoft MSDN article How to: Configure a Port with an SSL Certificate.
28. In elevated Command Prompt, following command will be run:
'C:>netsh> http add sslcert ipport=<IP address>:<Port Number> certhash=<Certificate Hash Number> appid={<Citrix Broker Service GUID>}'
1. If IPv4 is specified as an address, but the machine has both an IPv4 and IPv6 address, IPv6 must be disabled. Otherwise, when Storefront performs a lookup it will receive two addresses for the XenDesktop controller and attempt to use the IPv6 address.
2. If there is need Cloud Connector configuration with IPv4 and IPv6 addresses, then 0.0.0.0 can be used as the IP address in the netsh command. This makes the binding for all IP addresses on the Cloud Connector.
3. The Certificate Hash Number can be located in two places:
2. If there is need Cloud Connector configuration with IPv4 and IPv6 addresses, then 0.0.0.0 can be used as the IP address in the netsh command. This makes the binding for all IP addresses on the Cloud Connector.
3. The Certificate Hash Number can be located in two places:
a. One is in the registry of the Cloud Connector. Open Registry Editor and navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesMYCertificates, and find the server certificate which will be used for the binding:
b. Second one, is under the Thumbprint in the Certificate “Details” page. “Details” page can be opened by double-clicking the certificate in the mmc Certificate console;
4. Make sure that Certificate Hash does not have spaces when entered in the netsh command.
5. To obtain the Citrix Broker Service GUID on the Cloud Connector, in the Registry Editor, select Find, and search for Citrix Broker Service. The search should return an entry in the following registry location HKEY_CLASSES_ROOTInstallerProducts.;
It is important to mention that the entry in the registry is presented without the dashes for the GUID. Please make that the dashes are added in the following format:
33258705EE401E6498BDEC1BDC0B578E – original
33258705-EE40-1E64-98BD-EC1BDC0B578E – with dashes.
6. Using the located Certificate hash and the Citrix Broker Service GUID, the netsh command will look as following, and can be run in elevated Command prompt:C:>netsh>http add sslcert ipport=10.25.226.162:443 certhash=bc96f958848639fd101a793b87915d5f2829b0b6 appid={33258705-EE40-1E64-98BD-EC1BDC0B578E}
29. To complete the configuration, in the locally hosted StoreFront, make sure that the communication to the Citrix Cloud Connectors is set to use HTTPS and port 443
Citrix Cloud On Premise Storefront Desktop
- If there are multiple Cloud Connectors used, and the certificate is not wild-card, please repeat all the steps for each Cloud Connector.
- If the wild-card certificate was used, repeat only steps 19 to 29.