Citrix Storefront 1912 LTSR Installation and Configuration

Last Updated on December 25, 2020

Citrix Storefront 1912 LTSR Installation and Configuration is the third article in Citrix Virtual Apps and Desktop 7 1912 LTSR Installation and Configuration Series.

Prologue

The store I am going to create will be available for internal users only that’s why I am using Internal Certificate Authority for issuing the SSL certificate. I have created a custom Web-server template for Server Authentication that I will use for the enrollment.

External users are supposed to connect to Citrix Storefront Store through VPN. If you have NetScaler or Citrix ADC then feel free to configure a gateway, and configure remote access settings on Storefront.

Since I am not using Citrix ADC or Citrix Gateway or F5 for termination/off loading of SSL raffic, and ICA Proxy for external users, I don’t need a public IP. You, however, as per your requirement, can get a public IP reserved for the FQDN and have it translated to the Gateway VIP. In that case, don’t forget to use a Public CA for issuing the SSL Certificate. If you represent a PCI compliant company, consider using Dual-Hop configuration of Citrix NetScaler or Citrix ADC or Citrix Gateway.

Bandwidth requirements for CVAD 1912 have significantly decreased. I witnessed it first hand in one multi-site deployment that I finished last month. “Citrix Virtual Apps and Desktops Bandwidth” article from Dan Feller will defenitely help you in buying the right model of Citrix ADC or Citrix Gateway.

For load balancing Storefront servers, I am using Windows NLB. Both Storefront Nodes are part of NLB Array with NLB Mode set to Multicast. The reason for choosing Multicast over Unicast is to avoid intra-node communication and switch flooding problems. Since I have configured NLB on the Storefront Servers, I assigned 2 extra cores to each Storefront server. DNS A record for Storefront Base URL points to the NLB Shared IP (or Virtual IP address). As per your requirement, you can use Citrix ADC or F5 to load balance your Storefront servers. NLB setup is very straightforward that’s why I have not included the steps here, however, you can visit “Windows Server 2019 – Configuring a load-balanced website” to get a feel of how NLB is setup.

The operating system for Citrix Storefront 1912 LTSR Installation and Configuration I am using is Windows Server 2019 Datacenter Edition. Windows Server 2008 R2 SP1 is not supported anymore. Visit this Citrix Docs page for Storefront 1912 LTSR System Requirements.

SSL Certificate

1. Login to a Storefront Server
2. Open Run / Certlm.msc
3. Right click on Personal and select All Tasks / Request New Certificate

4. Click on Next in Before you Begin screen

5. Click on Drop down arrow  in front of Active Directory Enrollment Policy

6. Select the template and click on Properties

7. Select Common name in Type under Subject name and type the Storefront Server’s FQDN. Click on Add>

8. In Alternate name, select DNS as Type, type Storefront server’s FQDN again in Value and click on Add>. Type Storefront BaseURL in Value and click on Add>
   • Adding only Storefront Base URL is enough but I prefer to use SAN certificate with both; Storefront server’s FQDN and Storefront Base URL
   • If you are using Single-FQDN Storefront deployment for internal as well as external users then the SSL Certificate issued by Public CA that you will install on NetScaler can be installed on Storefront
   • If you are using Two-FQDN Storefront deployment then you can install the SSL certificate issued by Public CA to the Citrix Gateway URL on Citrix ADC or NetScaler and install SSL certificate issued by internal CA to Storefront Base URL on Storefront servers

9. Switch to General tab. Give a Friendly name and Description. It can be any text that describes the purpose of the Certificate
10. Click on Apply and OK

11. Click on Enroll in Request Certificates

12. Notice STATUS: Succeeded. Click on Finish

13. You would see that Certificate has been installed in Personal Store

14. Double click on the Certificate. In General tab, it should say “You have a private key that corresponds to this certificate.” And in Certificate Path tab, full Certificate chain should show up. If not, download the Root and/or the intermediate certificate from CA Enrollment portal and install them in the Trusted Root Certificate Store and Intermediate Certification store respectively

15. Switch to Details tab and confirm Subject Alternative Name

16. Repeat the steps for second Storefront Server but with that Storefront server’s FQDN in Common name as well as DNS name

Citrix Storefront 1912 LTSR Installation and Configuration

I have downloaded the Storefront installer as a separate component so I don’t have to copy entire media of CVAD 7 1912 LTSR on all servers. If you are installing Storefront from Autoselect.exe then you need to click on Storefront in the Meta installer window.

1. Right click on Storefront Installer and select Run as Administrator

2. Accept the License Agreement and click on Next

3. IIS is a prerequisite that will be deployed automatically. Click on Next

4. In Ready to install, click on Install

5. Installation will progress

6. Once it is completed, click on Finish

7. Reboot

8. Repeat the steps on second Storefront Server
9. Come back to first Storefront Server. Open Citrix Storefront and click on Create a new deployment

10. Leave the Base URL as it is for now. We will change it later. Click on Next

11. Wait for the deployment to complete

12. Once completed, Getting Started page will show up. Click on Next

13. Give a Store name. This will appear in Citrix Receiver/Workspace app as part of the user’s account. Suppose, if this is a separate store for External users then you should choose a name that reflects its purpose. Check Set this Receiver for Web sotes as IIS default. If you are going to create multiple stores and this store that you are creating right now is not going to be the default IIS site then don’t check this box. If you are unsure, leave it unchecked. You can do it later by right clicking on the store name and selecting Set as Default

14. Click on Add. Give a Display name, select Citrix Virtual Apps and Desktops in Type and add Delivery Controllers’ FQDN. Select HTTPS or HTTP in Transport type. If you are using HTTPS then SSL certificates are to be issued to Delivery Controllers’ FQDN and Broker Services is to be bound to that SSL certificate using Powershell. Click on OK

15. If you are going to aggregate resources from more than one set of Delivery Controllers then add them under a separate Display Name or Name or click on Next

16. This is where you can enable Remote Access and add Citrix Gateway appliances. Based on your requirement, you can choose to go with No VPN Tunnel or Full VPN Tunnel with Endpoint Analysis. Since I am not going to use Citrix Gateway, I will click on Next. If you are,
    • check Enable Remote Access, Select No VPN Tunnel or Full VPn Tunnel and click on Add.
    • Give a Display Name, give a Citrix Gateway URL and choose Authentication and HDX routing in Usage or role. Click on Next
    • Click on Add and provide Secure Ticketing Authority URLs. That would be your Delivery Controllers. You can choose http or https. Storefront will automatically add /scripts/ctxsta.dll to the URLs. STA gets installed as part of your Delivery Controller installation. Check Enable session reliability. Click on Next
    • On Authentication Settings, provide VServer IP Address if you have multiple Gateways (on separate appliance pairs) connecting to one StoreFront server. If you are using Multi-Factor authentication on Citrix Gateway then choose Domain and Security token otherwise Domain in Logon type. If you are using a non-password authentication like Smart Card or Citrix FAS (Federated Authentication Service) then provide a Callback URL otherwise leave it blank. Click on Create and then Finish
    • For detailed steps, follow Carl Stalhood’s StoreFront 1912 through 3.5 – Configuration for Citrix Gateway

17. Select User name and password and Domain pass-through in Authentication Method. Click on Next

18. Check Enable XenApp Services URL and Make this the default Store for PNAgent. Click on Create

19. Store creation will progress

20. Once it is created successfully, click on Finish

21. Right click on Server group and select Add Server

22. Copy the Authorization Code

23. Go to the second Storefront server, open Citrix Storefront and click on Join existing server group

24. Paste the Authorization Code and type the name of first Storefront server in Authorizing server. Click on Join

25. The join operation will progress propagating the changes to the second Storefront server

26. Once completed, click on OK

27. In Server Group of the second Storefront server, you will see the status of propagation

28. Come back to the first Storefront server and click on OK

29. Open Run / Compmgmt.msc / Users and Groups / Groups / Administrators. Confirm that NT SERVICE\CitrixConfigurationReplication (S-***) is added to the Administrators group

30. Open regedit and go to HKLM\SOFTWARE\Citrix\Telemetry\CEIP. Create a DWORD key ENABLED and set its value to 0

31. Right click on Store (XDPRD, in my case) and select Configure Store Settings

32. Go to Advanced Settings and check Enable socket pooling. Click on Apply and then OK

33. Right click on Manage Receiver for Web Sites

34. Click on Configure

35. Do the branding in Customize Appearance that suites your needs

36. If you want to do more customization then open style.css from C:\inetpub\wwwroot\Citrix\xxxWeb(XDPRDWeb in my case)\custom. Scroll down and add the css code just below to /* CITRIX DISCLAIMER: END OF MANAGED SECTION. */. Check out Ultimate StoreFront 3 customization guide from Nicolas Ignoto. There is no need to copy the custom code and images to the second Storefront server. Propagation will take care of that

.theme-header-bgcolor
{
	background-color: #00a498;
	background-image: -webkit-linear-gradient(left, #333333, #00a498);
	background-image: -moz-linear-gradient(left, #333333, #00a498);
	background-image: -ms-linear-gradient(left, #333333, #00a498);
	background-image: -o-linear-gradient(left, #333333, #00a498);
	background-image: linear-gradient(left, #333333, #00a498);
}
.web-screen .content-area
{
	background-color: rgba(255,255,255,0.6);
}
.web-screen
{
	background-color: #D3E1EC;
	background-image: url(background.png);
}
.credentialform .plain
{
	Color: #000000;
	Font-size: 20px;
}
.button.default
{
	background-color: #333333;
	color: #FFFFFF;
	border-style: solid;
	border-color: #000000;
	border-width: 4px;
}
.toolbar
{
	Background-color: #D3E1EC;
}

37. Download and copy CitrixWorkspaceApp to C:\Program Files\Citrix\Receiver StoreFront\ Receiver Clients\

38. Switch to Deploy Citrix Receiver/Workspace app tab. Choose Install locally in Deployment Options. Choose Local files on the StoreFront server in Windows source and browse the workspace app we saved in the previous step. Choose Citrix website in Mac source
    • Alternatively, you can choose Use Receiver for HTML 5 if local Citrix Receiver/Workspace app is unavailable in Deployment options
    • Check Launch applications in the same tab as Receiver for Web to override the default behavior of HTML5 receiver
    • Just like Windows source, you can choose Local files on the Storefront server or Files on remote server (through URL) in Mac source
    • Find more on Workspace app for HTML5 at https://www.carlstalhood.com/storefront-cr-basic-configuration/#html5

39. Switch to Client Interface Settings tab. If you wish, you can uncheck Auto launch desktop. Select Show Both views in Select view. Select Applications in Default view. You can choose to show the Home Page or Desktops as the Default view

40. Switch to Advanced Settings tab and check Prompt to install Citrix Receiver/Workspace app after logon. Click on Apply and then OK

41. Right click on Store (XDPRD in my case) and select Manage Authentication Methods

42. Click on the down arrow next to gear icon in front of User name and password and choose Configure Trusted Domains

43. Add one or more than one Trusted Domain. If you added more than one Trusted Domain then select the Default domain from the drop down. If you want to show the list of trusted domains on the logon page then check Show domains list in logon page. Click on OK
    • Users with their logon names in trusted domain don’t have to type the UPN in the User name field on logon page. User ID and password will be enough to login

44. Open powershell as an Administrator.

45. Right click on Server Group and select Change Base URL

46. Replace Storefront server’s name with a URL that you added as a DNS Name in Alternate Names of the SSL Certificate. Click on OK

47. By now if you have not created a A record in DNS then do so. The Base URL should point to the Load Balancing VIP
48. Notice that there is a warning – No certificate associated with the Storefront server

49. Open Run / inetmgr. Expant Storefront Server name, expand Sites and click on Default Web Site. Click on Bindings under Actions menu on the right pane

50. Click on Add. Select https in Type and the SSL certificate in SSL certificate. The name of the certificate you see here is the friendly name you provided during the enrollment process. Click on OK

51. Propagate the changes.