Citrix Storefront 1912 LTSR Installation and Configuration

Citrix Storefront 1912 LTSR Installation and Configuration is the third article in Citrix Virtual Apps and Desktop 7 1912 LTSR Installation and Configuration Series.

Prologue

The store I am going to create will be available for internal users only that’s why I am using Internal Certificate Authority for issuing the SSL certificate. I have created a custom Web-server template for Server Authentication that I will use for the enrollment.

External users are supposed to connect to Citrix Storefront Store through VPN. If you have NetScaler or Citrix ADC then feel free to configure a gateway, and configure remote access settings on Storefront.

Since I am not using Citrix ADC or Citrix Gateway or F5 for termination/off loading of SSL raffic, and ICA Proxy for external users, I don’t need a public IP. You, however, as per your requirement, can get a public IP reserved for the FQDN and have it translated to the Gateway VIP. In that case, don’t forget to use a Public CA for issuing the SSL Certificate. If you represent a PCI compliant company, consider using Dual-Hop configuration of Citrix NetScaler or Citrix ADC or Citrix Gateway.

Bandwidth requirements for CVAD 1912 have significantly decreased. I witnessed it first hand in one multi-site deployment that I finished last month. “Citrix Virtual Apps and Desktops Bandwidth” article from Dan Feller will defenitely help you in buying the right model of Citrix ADC or Citrix Gateway.

For load balancing Storefront servers, I am using Windows NLB. Both Storefront Nodes are part of NLB Array with NLB Mode set to Multicast. The reason for choosing Multicast over Unicast is to avoid intra-node communication and switch flooding problems. Since I have configured NLB on the Storefront Servers, I assigned 2 extra cores to each Storefront server. DNS A record for Storefront Base URL points to the NLB Shared IP (or Virtual IP address). As per your requirement, you can use Citrix ADC or F5 to load balance your Storefront servers. NLB setup is very straightforward that’s why I have not included the steps here, however, you can visit “Windows Server 2019 – Configuring a load-balanced website” to get a feel of how NLB is setup.

The operating system for Citrix Storefront 1912 LTSR Installation and Configuration I am using is Windows Server 2019 Datacenter Edition. Windows Server 2008 R2 SP1 is not supported anymore. Visit this Citrix Docs page for Storefront 1912 LTSR System Requirements.

SSL Certificate

  1. Login to a Storefront Server
  2. Open Run / Certlm.msc
  3. Right click on Personal and select All Tasks / Request New Certificate
Certificate Manager
  1. Click on Next in Before you Begin screen
Certificate Enrollment Before you Begin
  1. Click on Drop down arrow  in front of Active Directory Enrollment Policy
Certificate Enrollment Policy
  1. Select the template and click on Properties
Request Certificate
  1. Select Common name in Type under Subject name and type the Storefront Server’s FQDN. Click on Add>
  1. In Alternate name, select DNS as Type, type Storefront server’s FQDN again in Value and click on Add>. Type Storefront BaseURL in Value and click on Add>
    • Adding only Storefront Base URL is enough but I prefer to use SAN certificate with both; Storefront server’s FQDN and Storefront Base URL
    • If you are using Single-FQDN Storefront deployment for internal as well as external users then the SSL Certificate issued by Public CA that you will install on NetScaler can be installed on Storefront
    • If you are using Two-FQDN Storefront deployment then you can install the SSL certificate issued by Public CA to the Citrix Gateway URL on Citrix ADC or NetScaler and install SSL certificate issued by internal CA to Storefront Base URL on Storefront servers
Certificate Properties Subject tab
  1. Switch to General tab. Give a Friendly name and Description. It can be any text that describes the purpose of the Certificate
  2. Click on Apply and OK
Certificate Properties General tab
  1. Click on Enroll in Request Certificates
Request Certificate Enroll
  1. Notice STATUS: Succeeded. Click on Finish
Certificate Installation Results
  1. You would see that Certificate has been installed in Personal Store
Certificate Manager Personal Certificates
  1. Double click on the Certificate. In General tab, it should say “You have a private key that corresponds to this certificate.” And in Certificate Path tab, full Certificate chain should show up. If not, download the Root and/or the intermediate certificate from CA Enrollment portal and install them in the Trusted Root Certificate Store and Intermediate Certification store respectively
Certificate General tab
  1. Switch to Details tab and confirm Subject Alternative Name
Certificate SAN names
  1. Repeat the steps for second Storefront Server but with that Storefront server’s FQDN in Common name as well as DNS name

Citrix Storefront 1912 LTSR Installation and Configuration

I have downloaded the Storefront installer as a separate component so I don’t have to copy entire media of CVAD 7 1912 LTSR on all servers. If you are installing Storefront from Autoselect.exe then you need to click on Storefront in the Meta installer window.

CVAD 7 1912 LTSR Meta Installer Storefront
  1. Right click on Storefront Installer and select Run as Administrator
Storefront Installer
  1. Accept the License Agreement and click on Next
Storefront terms
  1. IIS is a prerequisite that will be deployed automatically. Click on Next
Storefront Prerequisites
  1. In Ready to install, click on Install
Storefront Ready to Install
  1. Installation will progress
Storefront installing components
  1. Once it is completed, click on Finish
Storefront Installation Finished
  1. Reboot
Storefront Reboot Prompt
  1. Repeat the steps on second Storefront Server
  2. Come back to first Storefront Server. Open Citrix Storefront and click on Create a new deployment
Citrix Storefront 1912 LTSR Installation and Configuration
  1. Leave the Base URL as it is for now. We will change it later. Click on Next
Storefront baseURL
  1. Wait for the deployment to complete
Storefront deployment started
  1. Once completed, Getting Started page will show up. Click on Next
Citrix Storefront 1912 LTSR Installation and Configuration
  1. Give a Store name. This will appear in Citrix Receiver/Workspace app as part of the user’s account. Suppose, if this is a separate store for External users then you should choose a name that reflects its purpose. Check Set this Receiver for Web sotes as IIS default. If you are going to create multiple stores and this store that you are creating right now is not going to be the default IIS site then don’t check this box. If you are unsure, leave it unchecked. You can do it later by right clicking on the store name and selecting Set as Default
Storefront Store Name
  1. Click on Add. Give a Display name, select Citrix Virtual Apps and Desktops in Type and add Delivery Controllers’ FQDN. Select HTTPS or HTTP in Transport type. If you are using HTTPS then SSL certificates are to be issued to Delivery Controllers’ FQDN and Broker Services is to be bound to that SSL certificate using Powershell. Click on OK
Storefront Add Delivery Controllers
  1. If you are going to aggregate resources from more than one set of Delivery Controllers then add them under a separate Display Name or Name or click on Next
Storefront Delivery controllers
  1. This is where you can enable Remote Access and add Citrix Gateway appliances. Based on your requirement, you can choose to go with No VPN Tunnel or Full VPN Tunnel with Endpoint Analysis. Since I am not going to use Citrix Gateway, I will click on Next. If you are,
    • check Enable Remote Access, Select No VPN Tunnel or Full VPn Tunnel and click on Add.
    • Give a Display Name, give a Citrix Gateway URL and choose Authentication and HDX routing in Usage or role. Click on Next
    • Click on Add and provide Secure Ticketing Authority URLs. That would be your Delivery Controllers. You can choose http or https. Storefront will automatically add /scripts/ctxsta.dll to the URLs. STA gets installed as part of your Delivery Controller installation. Check Enable session reliability. Click on Next
    • On Authentication Settings, provide VServer IP Address if you have multiple Gateways (on separate appliance pairs) connecting to one StoreFront server. If you are using Multi-Factor authentication on Citrix Gateway then choose Domain and Security token otherwise Domain in Logon type. If you are using a non-password authentication like Smart Card or Citrix FAS (Federated Authentication Service) then provide a Callback URL otherwise leave it blank. Click on Create and then Finish
    • For detailed steps, follow Carl Stalhood’s StoreFront 1912 through 3.5 – Configuration for Citrix Gateway
Storefront Remote Access
  1. Select User name and password and Domain pass-through in Authentication Method. Click on Next
Storefront Authentication Method
  1. Check Enable XenApp Services URL and Make this the default Store for PNAgent. Click on Create
Storefront XenApp Services URL
  1. Store creation will progress
Storefront Creating Store
  1. Once it is created successfully, click on Finish
Storefront Store created successfully
  1. Right click on Server group and select Add Server
Storefront Add Second Server
  1. Copy the Authorization Code
Storefront Authentication code
  1. Go to the second Storefront server, open Citrix Storefront and click on Join existing server group
Storefront Second Server Welcome Screen
  1. Paste the Authorization Code and type the name of first Storefront server in Authorizing server. Click on Join
Storefront Join Server group
  1. The join operation will progress propagating the changes to the second Storefront server
Storefront Adding Server
Storefront Add server in progress
  1. Once completed, click on OK
Storefront Second Server added to Server group
  1. In Server Group of the second Storefront server, you will see the status of propagation
Storefront Server Group
  1. Come back to the first Storefront server and click on OK
Storefront Second server joined to server group
  1. Open Run / Compmgmt.msc / Users and Groups / Groups / Administrators. Confirm that NT SERVICE\CitrixConfigurationReplication (S-***) is added to the Administrators group
Storefront Administrator Group
  1. Open regedit and go to HKLM\SOFTWARE\Citrix\Telemetry\CEIP. Create a DWORD key ENABLED and set its value to 0
Storefront CEIP disable through regedit
  1. Right click on Store (XDPRD, in my case) and select Configure Store Settings
Storefront configure store settings
  1. Go to Advanced Settings and check Enable socket pooling. Click on Apply and then OK
Storefront Store Advanced Settings
  1. Right click on Manage Receiver for Web Sites
Storefront Manage Receiver for Web Sites
  1. Click on Configure
Storefront Manage Receiver for Web Sites configure
  1. Do the branding in Customize Appearance that suites your needs
Receiver for Web custom appereance
  1. If you want to do more customization then open style.css from C:\inetpub\wwwroot\Citrix\xxxWeb(XDPRDWeb in my case)\custom. Scroll down and add the css code just below to /* CITRIX DISCLAIMER: END OF MANAGED SECTION. */. Check out Ultimate StoreFront 3 customization guide from Nicolas Ignoto. There is no need to copy the custom code and images to the second Storefront server. Propagation will take care of that
.theme-header-bgcolor
{
	background-color: #00a498;
	background-image: -webkit-linear-gradient(left, #333333, #00a498);
	background-image: -moz-linear-gradient(left, #333333, #00a498);
	background-image: -ms-linear-gradient(left, #333333, #00a498);
	background-image: -o-linear-gradient(left, #333333, #00a498);
	background-image: linear-gradient(left, #333333, #00a498);
}
.web-screen .content-area
{
	background-color: rgba(255,255,255,0.6);
}
.web-screen
{
	background-color: #D3E1EC;
	background-image: url(background.png);
}
.credentialform .plain
{
	Color: #000000;
	Font-size: 20px;
}
.button.default
{
	background-color: #333333;
	color: #FFFFFF;
	border-style: solid;
	border-color: #000000;
	border-width: 4px;
}
.toolbar
{
	Background-color: #D3E1EC;
}

  1. Download and copy CitrixWorkspaceApp to C:\Program Files\Citrix\Receiver StoreFront\ Receiver Clients\
Citrix Workspace App Location
  1. Switch to Deploy Citrix Receiver/Workspace app tab. Choose Install locally in Deployment Options. Choose Local files on the StoreFront server in Windows source and browse the workspace app we saved in the previous step. Choose Citrix website in Mac source
    • Alternatively, you can choose Use Receiver for HTML 5 if local Citrix Receiver/Workspace app is unavailable in Deployment options
    • Check Launch applications in the same tab as Receiver for Web to override the default behavior of HTML5 receiver
    • Just like Windows source, you can choose Local files on the Storefront server or Files on remote server (through URL) in Mac source
    • Find more on Workspace app for HTML5 at https://www.carlstalhood.com/storefront-cr-basic-configuration/#html5
Receiver for Web Deploy Citrix Receiver or Workspace App
  1. Switch to Client Interface Settings tab. If you wish, you can uncheck Auto launch desktop. Select Show Both views in Select view. Select Applications in Default view. You can choose to show the Home Page or Desktops as the Default view
Receiver for Web Client Interface Settings
  1. Switch to Advanced Settings tab and check Prompt to install Citrix Receiver/Workspace app after logon. Click on Apply and then OK
Receiver for Web Advanced Settings
  1. Right click on Store (XDPRD in my case) and select Manage Authentication Methods
Storefront Store Manage Authentication Method
  1. Click on the down arrow next to gear icon in front of User name and password and choose Configure Trusted Domains
Configure Trusted Domains
  1. Add one or more than one Trusted Domain. If you added more than one Trusted Domain then select the Default domain from the drop down. If you want to show the list of trusted domains on the logon page then check Show domains list in logon page. Click on OK
    • Users with their logon names in trusted domain don’t have to type the UPN in the User name field on logon page. User ID and password will be enough to login
Configure Trusted Domains default domain
  1. Open powershell as an Administrator.
TrustRequestsSentToTheXmlServicePort
  1. Right click on Server Group and select Change Base URL
Citrix Storefront 1912 LTSR Installation
  1. Replace Storefront server’s name with a URL that you added as a DNS Name in Alternate Names of the SSL Certificate. Click on OK
Change Base URL
  1. By now if you have not created a A record in DNS then do so. The Base URL should point to the Load Balancing VIP
  2. Notice that there is a warning – No certificate associated with the Storefront server
Citrix Storefront 1912 LTSR Installation and Configuration
  1. Open Run / inetmgr. Expant Storefront Server name, expand Sites and click on Default Web Site. Click on Bindings under Actions menu on the right pane
IIS Default Web Site
  1. Click on Add. Select https in Type and the SSL certificate in SSL certificate. The name of the certificate you see here is the friendly name you provided during the enrollment process. Click on OK
IIS https binding
IIS https binding select SSL Certificate
  1. Propagate the changes.
Propagate Changes
Propagate Changes Yes
Propagate Changes completed

Be the first to reply

Leave a Reply