Document Management Category Tracking Information Company:

Document Management Category Tracking Information Company:
Citrix Systems, Inc. Author(s): Adolfo Montoya Owner(s): Worldwide Support Readiness Last modified: 2/2/2012 Version: 1.0 Length: 6 hours

Adolfo Montoya – Readiness Specialist December, 2011
Citrix CloudGateway Adolfo Montoya – Readiness Specialist December, 2011

Agenda CloudGateway Overview System Requirements
Architecture of CloudGateway Express Deployment Options Features Troubleshooting Q&A

Citrix Confidential - Do Not Distribute
Terminology Citrix Product Name Component Citrix CloudGateway Express Citrix StoreFront Services 1.0 (formerly Receiver Storefront) Citrix CloudGateway Enterprise Citrix AppController 1.0 Citrix StoreFront Services 1.0 (formerly Receiver Storefront) Citrix Access Gateway Receiver for Windows 3.1 Citrix Receiver and Self-service Plug-in bundled Terminology table to explain what CloudGateway is. CloudGateway is a marketing term but the components on the right are the ones installed on the Citrix environment. Citrix Confidential - Do Not Distribute

Packaging CloudGateway Express CloudGateway Enterprise Licensing None Yes Packaging / Bill-of-materials Receiver StoreFront Services Merchandising Server Workflow Studio AppController Access Gateway Fulfillment Free to all XA/XD customers Web download only License: SKU Software: SKU & Web download This is how Citrix CloudGateway will be package and deliver to customers. CloudGateway Express is a direct replacement for Web Interface, so there is no license required to unlock the functionality. However, customers must be XenApp, XenDesktop or CloudGateway Enterprise to download the software. CloudGateway Enterprise requires the purchase of a license to enable the AppController component. These are per-user, per-CCU and can be either perpetual or annual. Purchasing a CloudGateway Enterprise license entitles the purchaser to Access Gateway Universal CCUs on a 1:1 basis. The Access Gateway or NetScaler appliances must be purchased separately. Citrix Confidential - Do Not Distribute

CloudGateway Overview

What is CloudGateway? New way to deliver and access Apps, Desktops, SaaS and Data Unified application store with Self-service for end users ‘Follow-me’ apps with one login from any device Citrix CloudGateway Citrix Confidential - Do Not Distribute

What is CloudGateway? ‘Auto-provision’ applications and desktops Access from any device: Windows Mac Linux Thin Clients Mobile Devices Same user experience across all devices Citrix CloudGateway Citrix Confidential - Do Not Distribute

CloudGateway Editions
Citrix CloudGateway Express Windows apps & desktops Citrix CloudGateway Enterprise Windows apps & desktops Web, SaaS & Data

CloudGateway Enterprise Components
Citrix CloudGateway PC MAC Smartphone Tablet Thin Client (formerly Receiver Storefront) StoreFront™ Services XenApp XenDesktop Web & SaaS Content Controllers Citrix CloudGateway Enterprise is a unified service broker which provides access to different types of content. In the slide there are 2 content controllers/connectors displayed. The content controllers/connectors plug into Storefront Services to provide single sign on access. At this time, the content connectors supported are: XenApp/XenDesktop (this content connector provides access to your Windows apps and desktops. Provided by your data collector or desktop controller) Web & SaaS (this content connector provides access to your Web & SaaS applications. It is the AppController component) Mobile & Data connectors coming soon!!! Access Gateway *Data & Mobile not available in CG 1.0. Planned for future in 2012

CloudGateway Enterprise CloudGateway Express
XenDesktop Desktops Access Gateway StoreFront Services XenApp Apps App Controller SaaS

New UI… New Experience

Old way to access content…
Complex environments to maintain – 3 x different plugins to access published resources. Web plugin PNA plugin Dazzle plugin

New way to access content…
Single-plugin installed on a workstation provides same content access via the Notification Area and Web-based. One client… Citrix Receiver!

Same experience on any device…
Windows PC Windows self-service (aka Dazzle) Android Mac laptop The idea of CloudGateway is to unify all Citrix Receivers and delivery the same user experience throughout all devices.

CloudGateway Express

What is CloudGateway Express?
Citrix StoreFront Services 1.0 (formerly Receiver Storefront) component of CloudGateway Express It is a set of features/services installed on Windows Will replace Citrix Web Interface Not all features are available (yet) from Web Interface Migration will be slow 500+ downloads of Citrix StoreFront Services (Tech Preview) Citrix Confidential - Do Not Distribute

Why Citrix StoreFront Services?
Web Interface technology is more than 10 years old Microsoft is ending support on J# 2.0 in the next few years us/vjsharp/bb188593 Web Interface EOL June, (tentative) Citrix CloudGateway Citrix Confidential - Do Not Distribute

FREE! Citrix CloudGateway Express Licensing Model
for all XenApp & XenDesktop customers Citrix Confidential - Do Not Distribute

System Requirements Supported only on Windows 2008 R2 SP1 Internet Information Services (IIS) 7.5 SQL Express 2008 R2 SQL 2008 R2 .NET Framework 3.5 SP1 No more Microsoft J# 2.0! Citrix Confidential - Do Not Distribute

Ports Used Component Ports StoreFront services – (Authentication) Kerberos (88) / LDAP (389) / Kpasswd (464) StoreFront services – (XML Communication) HTTP (80) / HTTPS (443) ICA 1494 CGP – Session Reliability 2598 Receiver for Windows Receiver for Web Citrix Confidential - Do Not Distribute

Citrix StoreFront Services - Compatibility

Supported XenApp Versions
Product Name Operating System Supported? XenApp 6.5 Windows 2008 R2 XenApp 6.0 XenApp 5.0 Windows 2008 (32-bit / 64-bit) Windows 2003 (32-bit / 64-bit) XenApp 4.0 Unix Operating Systems Citrix Presentation Server 4.0 Windows 2000 / 2003 (32-bit /64-bit) Citrix Confidential - Do Not Distribute

Supported XenDesktop Versions
Product Name Operating System Supported? XenDesktop 5.5 Windows 2008 (32-bit / 64-bit) / Windows 2008 R2 XenDesktop 5.0 XenDesktop 4.0 Windows 2003 (32-bit / 64-bit) XenDesktop 3.0 Citrix Confidential - Do Not Distribute

Supported Browsers / Clients
Operating System Supported? Internet Explorer 9.0 (32-bit) Windows 7 SP1 (32-bit / 64-bit) Internet Explorer 8.0 (32-bit) Windows 7 SP1 (32-bit / 64-bit) Windows Vista SP2 (32-bit / 64-bit) Windows XP SP2 (64-bit) Windows XP SP3 (32-bit) Mozilla Firefox 8.0 / 7.0 / 6.0 Windows 7 SP1 (32-bit / 64-bit) Mac OS X 10.7 (Lion) Red Hat Enterprise Linux 6 Desktop Citrix Confidential - Do Not Distribute

Supported Browsers / Clients
Operating System Supported? Google Chrome 15 / 14 / 13 Windows 7 SP1 (32-bit / 64-bit) Safari 5.1 Mac OS X 10.7 (Lion) Safari 5.0 Mac OS X 10.6 (Snow Leopard) Citrix Confidential - Do Not Distribute

Supported Citrix Receiver
Type Version Supported? Receiver for Windows 3.1 Receiver for Mac 11.4 / 11.3 Receiver for Linux 12.0 Receiver for Chromebook 1.0 Receiver for Java 10.1 Citrix Confidential - Do Not Distribute

Supported Citrix Receiver (Mobile)
Type Version Supported? Receiver for Android 3.0 Receiver for iOS 5.x Receiver for BlackBerry 2.2 Receiver for Playbook 1.0 Receiver for Windows Mobile 11.5 Citrix Confidential - Do Not Distribute

Supported Citrix Access Gateway
Product Name Version Supported? Citrix Access Gateway Enterprise 9.3 or later Citrix Access Gateway (Standard / Advanced) 5.0.3 or later 4.x Citrix Secure Gateway 3.x Citrix Confidential - Do Not Distribute

Migration

Migration Deployment – Current
Xen Desktop XenApp Farm1 XenApp Farm2  Provider Layer WI / PNA  Store Services This is the current environment that most of our customers have. Web Interface server with either XenApp Web sites or Services sites hosted and communicating with back-end XenApp/XenDesktop farms. Secured by an Access Gateway appliance/VPX and a variety of devices connecting to the environment using their own version Citrix Receiver. Access Gateway  Gateways Receiver (Windows) Receiver (Mac) Receiver (iPad) legacy thin clients  Receivers Citrix Confidential - Do Not Distribute

Migration Deployment – Dual
Xen Desktop XenApp Farm1 XenApp Farm2  Provider Layer WI / PNA StoreFront services  Store Services The idea is not to tell our customers to undeploy their current Web Interface environment. Instead, deploy Storefront services on the side, pointing to the same XenApp/XenDesktop farms, use an Access Gateway (or Gateways) and let a handful of Windows users connect to Storefront. This way, migration will be gradual. Access Gateway  Gateways Receiver (Windows) Receiver (Mac) Receiver (iPad) legacy thin clients  Receivers Citrix Confidential - Do Not Distribute

Migration Deployment – Legacy Mode
Xen Desktop XenApp Farm1 XenApp Farm2  Provider Layer WI / PNA StoreFront services Legacy mode  Store Services Another scenario is for those customers that have hosted Thin-client devices that are still not ready for the Storefront services migration. WYSE, HP, etc. vendors are not (yet) ready with a new Citrix Receiver plug-in. An alternative is to enable Legacy PNA mode in the StoreFront Services server such that these devices (or even workstations using legacy Citrix ICA clients – 11.x, 12.x) can connect to Storefront and get access to published content. Access Gateway  Gateways Receiver (Windows) Receiver (Mac) Receiver (iPad) legacy thin clients  Receivers Citrix Confidential - Do Not Distribute

Migration Deployment – Desired
Xen Desktop XenApp Farm1 XenApp Farm2  Provider Layer StoreFront services Legacy mode  Store Services Ultimately, the goal is to migrate our customers completely from Web Interface to StoreFront Services with Legacy PNA mode enabled so everyone can experience this new technology of accessing Windows and Web Apps. Access Gateway  Gateways Receiver (Windows) Receiver (Mac) Receiver (iPad) legacy thin clients  Receivers Citrix Confidential - Do Not Distribute

File Differences Citrix Web Interface Citrix StoreFront Services Configuration File C:\inetpub\wwwroot\Citrix\XenApp\conf\WebInteface.conf C:\inetpub\wwwroot\Citrix\Store\Web.config Default.ica File C:\inetpub\wwwroot\Citrix\XenApp\conf\default.ica C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica Stores, Receiver for Web and Authentication have their respective Web.config files to enable/disable settings. Web.config file is an XML format file that can be edited with any text editor – e.g. Notepad++, Notepad, etc. It is recommended to have the StoreFront Services console closed before making any changes to the Web.config file, and also perform IISRESET after making the changes. Citrix Confidential - Do Not Distribute

StoreFront Services - Installation
Step-by-step installation of StoreFront Services on a Windows 2008 R2 server. StoreFront Services - Installation

Installation

Installation If there are no pre-requisites installed, StoreFront Services installer will install those for you. It will NOT install SQL 2008 R2 or 2008 R2 Express

Installation

Deployment Options

Single Server Deployment

Single Server Deployment - Diagram
Internet DMZ LAN StoreFront Services could be sitting in the LAN behind an Access Gateway StoreFront Services could be sitting in the LAN (no AG) Access Gateway (optional) StoreFront Services XenApp/ XenDesktop Citrix Confidential - Do Not Distribute

Great for small / proof-of-concept environments Subscription database must reside on same server (Recommended) Make sure to have an SSL certificate installed and bind on IIS to secure front-end traffic – e.g. client to server Quick easy deployment with Single Server option. Disadvantage is single point of failure. Citrix Confidential - Do Not Distribute

Deployment Mode Single server deployment Multi-server deployment
Step-by-step Single Server deployment configuration. Join a pre-built deployment

Server address (by default) will be the machine name or binding created on IIS Citrix Confidential - Do Not Distribute

3 – Easy Steps to Setup StoreFront Services!

1 Authentication Service

Select the authentication method desired User name and password Domain pass-through Pass-through from Citrix Access Gateway Only three authentication methods available for now on StoreFront Services 1.0 (formerly Receiver Storefront). No RSA/RADIUS/SafeWord/Smart cards/Kerberos supported. No more authentication points – e.g. At Web Interface, At Web Server, At ADFS, etc.

2 Stores

Specify Store name By default, StoreFront Services will provide the name of “Store”

Define content connectors Citrix XenApp Citrix XenDesktop Citrix CloudGateway (aka AppController) Transport type: Unsecure (HTTP) Secure (HTTPS) Secure (SSL Relay)

3 Receiver for Web

After initial setup, additional options will become available Gateways Beacons

Lab 1 – StoreFront Services Installation and Configuration

High Availability Deployment

High Availability Deployment - Diagram
StoreFront Services (Primary) Two StoreFront Services servers in HA mode behind an Access Gateway (e.g. NetScaler) Two StoreFront Services servers in HA mode behind a third-party load balancer Two StoreFront Services servers in HA mode behind Microsoft Network Load Balancing (NLB) Load Balancer XenApp/ XenDesktop StoreFront Services (Secondary) Internet DMZ LAN Citrix Confidential - Do Not Distribute

High Availability Deployment
Great for Enterprise-level deployments Provides high availability / failover to Stores Needs a load balancer – e.g. NetScaler Subscription database is remote No master / slave setup Since there is no master/slave setup, careful must be made when multiple Administrators try to make changes to the Storefront cluster. It is recommended that only one StoreFront Services server performs the propagation of changes to the other servers in the cluster. Citrix Confidential - Do Not Distribute

Multiple Server Group Deployment – Checklist
Minimum of 2 server setup Prepare remote database by using scripts Make sure to have in place a configured hardware (or software) load balancer Install StoreFront Services on primary server and configure Authentication, Store and Receiver for Web Install StoreFront Services on secondary server and join it to the Server Group (Optional) Preferably use a wildcard certificate for all devices Remote Database needs to be prepared using scripts available on Citrix eDocs before creating a multi-server environment with StoreFront Services. Citrix Confidential - Do Not Distribute

Multiple Server Group Deployment – (Primary Server)
Single server deployment Multi-server deployment Step-by-step setup of a multiple server group deployment. Join a pre-built deployment

Enter the hostname (FQDN) of the load balancer Enter the Database server IP, hostname or FQDN Enter the Database name Citrix Confidential - Do Not Distribute

1 Authentication Service

Select the authentication method desired User name and password Domain pass-through Pass-through from Citrix Access Gateway

2 Stores

Specify Store name By default, StoreFront Services will provide the name of “Store”

Define content connectors Citrix XenApp Citrix XenDesktop Citrix CloudGateway (aka AppController) Transport type: Unsecure (HTTP) Secure (HTTPS) Secure (SSL Relay)

3 Receiver for Web

Multiple Server Group Deployment – (Secondary Server)
Single server deployment Multi-server deployment Step-by-step configuration to add a new StoreFront Services server to an existing server group. Join a pre-built deployment

From Secondary Server… For the second server to join a server group, it needs the information of an authorizing server plus a code that will allow it to join the cluster. Authorization code works in a similar way as a RADIUS shared passphrase, so both endpoints trust each other. Citrix Confidential - Do Not Distribute

From Primary Server… Citrix Confidential - Do Not Distribute

From Secondary Server… Citrix Confidential - Do Not Distribute

From Primary Server… Once the secondary server joined the server group, we need to propagate the configuration settings from the primary server. Citrix Confidential - Do Not Distribute

From Primary Server… Propagate changes takes more or less 2 minutes to complete. Citrix Confidential - Do Not Distribute

Once “Propagate Changes” is complete check the following on Secondary Server: Verify Authentication Service URL Verify Stores Verify Receiver for Web (Optional) – Verify Gateways Citrix Confidential - Do Not Distribute

Architecture Overview

Modularization is the key…
Modularization is a key design principle we followed in building StoreFront Services. StoreFront Services is a collection of 25 features that only get installed when needed on the server. Example: Authentication, CitrixAGBasicAuthentication, CitrixOnlineIntegration, CredentialWallet, DazzleResources, etc. The installation of each feature is seamless to the Administrator and this is done via PowerShell commands. Whenever an Administrator creates an Authentication Service or creates the first Receiver for Web from the console, StoreFront Services adds the feature on the server. By designing the entire system to be a collection of services we enable you to plug-in and extend as needed.

Architecture Approach
“Old World” “New World” PNA Services Web Interface AG Support W’space Ctrl Branding Web Browsers Other Clients Explicit Pass-through Smart Card Two Factor Anonymous 3rd Party AG (optional) Auth Platform StoreFront Services Receiver for Web App DB AG Support W’space Ctrl Branding Web/SaaS Apps Data / Mobile XA/XD Apps Explicit Pass-through Smart Card Two Factor Anonymous 3rd Party Web Browsers Receiver + Other Clients New! AG (optional) ‘old world’ = Web Interface. Complex environment to maintain since each site was treated as a separate service. ‘new world’ = StoreFront Services. Modular/centralized environment that provides the same level of service to any device or client. Citrix Confidential - Do Not Distribute

StoreFront Services – The New Middle Tier
StoreFront Services Tier XenApp Farms 3 Browser 1 Web Receiver XML Service Adaptor List My Apps XenDesktop Farms Launch App 3rd Party Web Services Store Future Citrix Adaptors App Controller Internal Web Apps Thin Clients List All Apps Subscribe 3rd Party Adaptors SaaS Apps Access Gateway 2 Mobile Devices Detailed architecture. Key points - StoreFront Services is a platform for authenticated service access “XML Service Adaptor” provider support for XenApp and other resource providers Currently XenApp/XenDesktop only, put plan to extend Authentication Service is a separate delivery service Used by Store Services, Merchandizing server and anything else needing authentication (e.g. Streaming) Web Receiver will be a new web based front end leveraging delivery services. 3rd parties encouraged to do the same Value Adds include follow-me apps/subscription database & workflow services. More to follow. “Value Adds” Password ? OTP Authentication Service ? Mac and Windows Smartcard Kerberos 3rd Party Apps ... 4 Update Service (Merchandising Server)

1 List My Apps Store Service Launch App Services Store List All Apps REST Services XML messages over HTTP(S) protocol Authentication via a token header token Designed to be a public SDK Currently not published Root service is ‘Resources’ This then references Images, Windows Icons etc. Subscribe - Representational state transfer (REST) is a software architecture framework for the WWW - Store services SDK will be available in the upcoming StoreFront Services SDK (no ETA) to allow Administrators expand the current functionality of StoreFront services and create their own content connectors (or adaptors) to other services. - By default, end-users connecting to a Store or Receiver for Web site, Citrix Receiver will query the /Resources/List. If the end-user has a valid authentication token, StoreFront Services will Citrix Confidential - Do Not Distribute

2 Authentication Password OTP Authentication Service Smartcard Allows Single Sign-on Between different StoreFront services To other Citrix services (other boxes) Extends in many directions Federation-In (SAML protocol) Access Gateway SSO SSO to AppController Kerberos ... The Authentication service in Storefront services is the most important one in the server. This is the service that will authenticate users against the domain and allow the Receiver communicate with the Store or Receiver for Web once it is ‘authorized’. This is a new ‘big’ improvement of StoreFront Services server vs. Web Interface since we are not delegating this job anymore to the XML broker. In future releases, this Authentication service will be improved to provide a seamless SSO to AppController. Citrix Confidential - Do Not Distribute

Authentication Flow… Current
Active Directory Server Web Interface Server Internet XML Server Currently, Web Interface passes logon credentials to the XML broker (e.g. XenApp or XenDesktop DDC) for credential validation. This is no longer the case with StoreFront Services. Citrix Confidential - Do Not Distribute

Authentication Flow… New
Active Directory Server StoreFront Services Server Internet With StoreFront Services server, XML broker no longer does credential validation but instead the StoreFront Services server. StoreFront Services server must be a member of a domain so it can communicate with the next available Domain Controller server. If it’s a multi-domain infrastructure the proper trust must be configured. App Enumeration XML Server Citrix Confidential - Do Not Distribute

New Authentication System – Basics
“Do Something” “Do Something” Store Services Denied (talk to Auth) Some other Service “Do Something” “who you are” “where you are” “what device” … Trust Give me a token for Store Give me a token for Store Username=… Password=…. Login using ‘Generic Forms’ Give me a token for Auth Foundation for “always on” SmartAccess claims-based approach covers “who you are”, “where you are”, “what device you’re using” etc input into policy decisions regarding access rights Foundation for CloudGateway, BYOID link external BYO identities to corporate identities (AD or lightweight non-AD accounts) authenticate/federate in to corporate identity, apply access policies, federate out to SaaS etc Foundation for mixed on-premise and cloud hosting corporate authentication and access policies kept on premise cloud hosted apps trust corporate auth / policy hub Fill in this form Denied (…) Here is a Token for Store How do you want to login? Here is a Token for Auth Auth Service Core User Directory Citrix Confidential - Do Not Distribute

Claim-based Authentication
New authentication system based on WS-Federation = Identity Federation Also based on RFC 2617 “HTTP Authentication: Basic and Digest Access Authentication” It uses tokens to authorize Citrix Receiver access store and/or authentication services Authentication now takes place at the StoreFront Services server WS-Federation = It’s a collection of Web Services Security Framework developed by BEA systems, IBM, BMC Software, CA Inc., IBM, Layer 7 Technologies, Microsoft, Novell, Ping Identity and VeriSign Citrix Confidential - Do Not Distribute

New Auth System – remote with Access Gateway
AG Store Services Present auth token Detect call is via AG and offer AG SSO as an auth method. EPA & Auth SSO Give me a token for Store Foundation for “always on” SmartAccess claims-based approach covers “who you are”, “where you are”, “what device you’re using” etc input into policy decisions regarding access rights Foundation for Cloud Gateway, BYOID link external BYO identities to corporate identities (AD or lightweight non-AD accounts) authenticate/federate in to corporate identity, apply access policies, federate out to SaaS etc Foundation for mixed on-premise and cloud hosting corporate authentication and access policies kept on premise cloud hosted apps trust corporate auth / policy hub Auth Service Core User Directory Citrix Confidential - Do Not Distribute

Authentication Methods Available
Three authentication methods available on StoreFront Services User name and password – e.g. Explicit Domain pass-through – e.g. Pass-through Pass-through from Citrix Access Gateway – e.g. Authentication “at Access Gateway” No RSA, RADIUS or SafeWord available No Kerberos / ADFS, Smart card available Citrix Confidential - Do Not Distribute

Authentication Methods Available
Citrix Confidential - Do Not Distribute

Authentication – Receiver for Web
This is how the Receiver for Web authentication (username and password) looks like. Citrix Confidential - Do Not Distribute

Authentication – Self-service (Explicit)
This is how the Self-service (or Windows Receiver) authentication (username and password) looks like. Citrix Confidential - Do Not Distribute

Authentication – Domain Pass-through
Only Windows domain-based machines Only available for Stores using Windows Receiver – self-service Not available on Receiver for Web via browsers Make sure to install Citrix Receiver 3.1 Enterprise Standard via command line – e.g. CitrixReceiver.exe /includeSSON Apply the GPO policy on client machine enabling Pass-through Add Store URL into the Local Intranet zone Ensure the SSONSVR.EXE is running This is the checklist to deploy domain pass-through with StoreFront Services and Windows workstations. Citrix Confidential - Do Not Distribute

Authentication – Access Gateway

3 Receiver for Web Web Receiver 3rd Party Web Logically a Receiver like any other Talks to StoreFront Services over HTTPS Our implementation Static HTML + CSS + JavaScript Rich UI Same UI as all other receivers Designed to be modular & customizable Receiver for Web behaves similar to a XenApp Web site. However, instead of having it’s own ‘Server Farm’ configuration settings, it creates a ‘pointer’ to the Store already created in the server. The Store is the one that holds XML broker information (against to a XenApp/XenDesktop/AppController environment) and Transport type used – e.g. SSL Relay, HTTPS or HTTP. Receiver for Web contains HTML, CSS, Javascript code. Citrix Confidential - Do Not Distribute

Update and Configuration
4 Update Service (Merchandising Server) Update and Configuration Multiple Solutions: Merchandising Server hasn’t gone away (Still) a separate appliance Integrates with Storefront Authentication for SSO Any other means Download from Web Receiver, Download from Citrix.com New! Provisioning files Tell Receiver about Storefront, Gateways, Beacons The update service can work in conjunction with Merchandising Server to update Citrix Receiver on workstations and/or Store URL information. You can also deliver updated information to end-users with Citrix Receiver using provisioning files. This provisioning file contains the Store URL, Gateways and Beacon URLs that help Citrix Receiver how to contact the StoreFront Services server and access the published content. Citrix Confidential - Do Not Distribute

Merchandising Server Integration with StoreFront Services

Merchandising Server Allows IT Admins delivery Citrix Receiver along with necessary plugins IT Admins can specify Store URL information Authentication will happen between StoreFront Services and Merchandising Server When defining Rules on Merchandising Server, you can define the Store URL from StoreFront Services. You can also define whether or not users will be allowed to Add stores manually or not. StoreFront Services and Merchandising Server integration will work with Citrix Receiver 3.1 (Updater). Citrix Confidential - Do Not Distribute

Merchandising Server Citrix Confidential - Do Not Distribute

Provisioning Files and Beacons

What is a Provisioning File?
Contains information to tell Receiver how to connect to a Store File is in XML format with .CR extension File is available via Receiver for Web or can be distributed by other medium – e.g. , Intranet site, etc. Receiver for Windows 3.1 is the only Receiver (as of now) that can execute .CR files. Next year, Receiver for Mac (11.5?) will be able to execute .CR files. Citrix Confidential - Do Not Distribute

Provisioning Files Store Service itdevstores.citrite.net ftlagx.citrix.com Auth Service Store = Gateway = ftlagx.citrix.com, “US-East” Gateway = sjcagx.citrix.com, “US-West” Gateway = lonagx.citrix.com, “EMEA” Default = lonagx.citrix.com Beacons Internal = External = External = sjcagx.citrix.com lonagx.citrix.com Citrix Confidential - Do Not Distribute

Provisioning Files This is an example of a Citrix Receiver 2.0 (Updater) that shows the multiple Access Gateway access points under Preferences > Network Settings. You can do the same with StoreFront Services, Citrix Receiver 3.1 along with Merchandising Server. Ideally, the majority of the features available on Merchandising Server will be integrated to StoreFront Services in future releases. Citrix Confidential - Do Not Distribute

The provisioning file is comprised of: Store name – e.g. Apps Store address – e.g. Gateways. Only one AG can be the default – e.g. Other Gateways available for users to pick based on their location. Beacons: Internal and External URLs: Citrix Receiver will send GET requests and based on the response, it would determine whether you are internal (LAN) or external (Internet). Citrix Confidential - Do Not Distribute

What are the Beacons? Beacons are part of a provisioning file Used by Receiver plugin to determine its location relative to Gateways Beacons technology same from Citrix Merchandising Server Each beacon is a URL Two types of beacons available: Internal: A URL only accessible from inside the organization (i.e. inside the network protected by the Gateway). External: A publicly accessible URL - e.g. or the external address of the gateway. Citrix Confidential - Do Not Distribute

What are the Beacons? To provide internal / external access to Stores, you must define one Internal Beacon URL and one External Beacon URL. If Stores are only available for internal use (LAN), you don’t need to configure Beacons. Citrix Confidential - Do Not Distribute

How are Beacons Used? Receiver identifies one of the following situations: NONE – no network access VPN – Gateway VPN client detected LAN – inside the organization , no Gateway required OUTSIDE – outside the organization, Gateway required HOTSPOT – e.g. In hotel with an inactivated paid network Receiver sends a GET request to each beacon URL and treats an HTTP response status as success. If multiple external beacon URLs are redirected (status ) to the same location this is interpreted as the ‘HotSpot’ case. Citrix Confidential - Do Not Distribute

Beacons Logic Location Beacons Accessible Network Location Office Internal + External LAN Home External OUTSIDE Internet Café OUTSIDE / HOTSPOT * NOTE: If no beacons are configured for a Store, by default the network location will be LAN Citrix Confidential - Do Not Distribute

How to Deliver a Provisioning File?
With CloudGateway Express, we are introducing one-click setup. This capability enables users to easily configure native Receivers by clicking on a link on a web page, or importing a provisioning file sent to them via . These provisioning files will be automatically generated by the StoreFront services or administrators can easily generate aggregated setups manually. Citrix Confidential - Do Not Distribute

This provisioning file shows the Store address URL – - to Citrix Receiver for direct communication to the Storefront server, with no AG involved. Provides Access Gateway information in case end-user is trying to access the Store externally from Internet. Citrix Confidential - Do Not Distribute

You can export the provisioning file from StoreFront Services server and publish it on a Web site, make it accessible from a network share, send it over , etc. Citrix Confidential - Do Not Distribute

StoreFront Services and XenApp / XenDesktop - Communication Flow

StoreFront Services Communication Components
StoreFront Services server = In charge of authentication and publish content and create launch.ica files XML server = In charge of application enumeration Data Collector = Contains the current load of XenApp servers XenApp / VDI = Server / VDI hosting published content Citrix Confidential - Do Not Distribute

StoreFront Services - Communication Flow
Active Directory Server Data Collector Server End-user hits the Receiver for Web site. User submits username/password information. If user hits the Receiver for Web via HTTP, anyone can easily capture the username, password and domain information. Next, Storefront server contacts the Active Directory server to verify user credentials using Kerberos protocol. Once verified, Storefront server sends a ‘success’ response back to the end-user. Next, the end-user sends a request for the list of resources available. Storefront server sends a Request App data to the XML broker for application enumeration. XML broker responds back with the list of published content to StoreFront Services server. Storefront server sends a Request Capabilities to the XML broker. XML broker responds back with those capabilities – e.g. launch reference, integrated authentication, etc. Next, Storefront server sends a Request App data for Icon data. XML broker responds back with all the icon information for each published app. Once all this information has been gathered by the Storefront server, we send this information back to the end-user. In the meantime, the Storefront server is also checking with the XML broker if there are any disconnected or active sessions in the farm. XML broker contacts the Data Collector (via IMA) to find out if there any disconnected/active sessions for the user. Next, XML broker responds back to the Storefront server with any reconnect sessions. If no reconnection happens, the end-user clicks on a published application – e.g. Calculator. Storefront server sends a Request App data to request permissions and if the app is Offline (streaming). XML broker responds back with the permissions and offline data information. Next, Storefront server sends a Request Address to find which server in the farm is the least busy that can serve the app request. XML broker contacts the Data Collector (via IMA) to find the least busy server in the farm. Data Collector responds back to the XML broker. XML broker sends the IP address of the XenApp server publishing the app. Next, Storefront server sends a Request Launch Reference ticket. XML broker contacts the XenApp server (via IMA) publishing the application to generate a launch reference ticket. The XenApp server responds back with the launch reference ticket. XML broker returns the launch reference ticket to the Storefront server. Next, Storefront server sends a Request Ticket for the Logon Ticket. XML broker contacts the XenApp server (via IMA) publishing the application to generate a logon ticket. The XenApp server responds back with the logon ticket. XML broker returns the logon ticket to the Storefront server. Storefront server responds back to the end-user with a ‘success’ message to generate a launch.ica file. End-user sends back to the Storefront server a GET to /.ica file. Storefront server generates the launch.ica file and returns it back to the end-user. Citrix Receiver installed on the end-user’s workstation process the launch.ica file, initiates the connection and successfully launch the application. XML Server Client Device StoreFront Services server XenApp Server Citrix Confidential - Do Not Distribute

CloudGateway Express - Features
These are some of the features available on CloudGateway Express. For a complete list of features, check Citrix eDocs. CloudGateway Express - Features

Auto-provision Applications

Auto-provision Applications
Allow Administrators pre- subscribe applications to users’ home screen Applies to published applications and desktops Tags – e.g. KEYWORDS:Auto and Featured Works for one-time subscription KEYWORDS:auto must exist under Application Description for Auto-provision to work. Auto-provision of apps only works when the user has never subscribed to the published app. Users can remove the auto-provisioned app from the home screen but the app cannot be auto-provisioned again. To do that, you need to remove the subscription entry from the database itself. KEYWORDS:featured is a tag introduced since Dazzle plugin. This tag will allow Administrators list applications under the Featured list of applications in the following Citrix Receivers: Android, iPhone/iPad, BlackBerry, Dazzle. Citrix Confidential - Do Not Distribute

Change Password

Change Password Flow Active Directory Server Internet StoreFront Services Kpasswd / 464 With StoreFront Services server, XML broker no longer does credential validation but instead the StoreFront Services server. StoreFront Services server must be a member of a domain so it can communicate with the next available Domain Controller server. (Password change is no exception, StoreFront Services will contact the Domain Controller to request password change). If it’s a multi-domain infrastructure the proper trust must be configured. App Enumeration XML Server Citrix Confidential - Do Not Distribute

Change Password via StoreFront

Change Password – Receiver for Web
Step-by-step how change password look like via Receiver for Web Citrix Confidential - Do Not Distribute

Change Password – Receiver for Web

Change Password - Self-service (Explicit)
Step-by-step how change password look like via Windows Receiver (Self-service) Citrix Confidential - Do Not Distribute

Change Password - Self-service (Explicit)

Change Password - Active Directory Log
When password change attempt is made, Active Directory creates a record in the Event Viewer > Security Logs for audit purposes. Citrix Confidential - Do Not Distribute

Legacy Mode - PNA

Legacy Mode Available for environments that still require communication to PNA technology – e.g. Thin Clients, Citrix legacy clients, etc. Enabling “Legacy Support” will create a config.xml file for a Store – e.g. ml If enabled, Store can be accessible with new Citrix Receivers (3.x) and/or Citrix Online Plugins (12.x) Citrix Confidential - Do Not Distribute

Legacy Mode Citrix Confidential - Do Not Distribute

Legacy Mode No config.xml file! Citrix Confidential - Do Not Distribute

Legacy Mode For troubleshooting purposes, you can still access the config.xml file via browser File is dynamically rendered Citrix Confidential - Do Not Distribute

Legacy Mode To show icons in the Desktop or Start Menu, you need to configure these settings via the Citrix Online plugin (legacy) under Properties, not from the Storefront server. Citrix Confidential - Do Not Distribute

Lab 2 – Legacy PNA Mode

Client Deployment

Client Deployment New Plugin Assistant! Enabled by default for new install Upgrade option is disabled by default No more client deployment options via Console Plugin Assistant is available at the Receiver for Web > Web.config file – e.g. c:\inetpub\wwwroot\Citrix\StoreWeb Receiver for Java is not supported RDP client is not supported StoreFront Services 1.0 (formerly Receiver Storefront) supports client deployment for Windows and Mac workstations. Citrix Confidential - Do Not Distribute

Client Deployment Location - c:\inetpub\wwwroot\Citrix\StoreWeb\Web.config Citrix Confidential - Do Not Distribute

Plugin Assistant – New Install
Only support client download for Windows (IE, Firefox and Chrome) and Mac (Safari and Firefox). Citrix Confidential - Do Not Distribute

Remember… ActiveX Control
Citrix ICA Client ActiveX Control gets installed and enabled on IE browser If Citrix ICA Client – ActiveX Control is disabled, StoreFront Services cannot detect the client installed ICA Client ActiveX control must be active for client to be detected on IE browsers. Citrix Confidential - Do Not Distribute

Remember… Extensions / Plugin
For Firefox 7 and Chrome 15 Citrix ICA Client Extension / Plugin gets installed and enabled If Citrix ICA Client – Extension / Plugin is disabled, StoreFront Services cannot detect the client installed Firefox, Safari and Chrome browsers, the Citrix ICA Client Plugin (or extension) must be enabled for client to be detected. Citrix Confidential - Do Not Distribute

Plugin Assistant – Upgrade
To enable Upgrade option, modify the Web.config file value from ‘false’ to ‘true’ Citrix Confidential - Do Not Distribute

Plugin Assistant – Upgrade
Only support client download for Windows (IE, Firefox and Chrome) and Mac (Safari and Firefox). Citrix Confidential - Do Not Distribute

Lab 3 – Client Deployment

Workspace Control

Workspace Control Workspace Control is available for both Stores and Receiver for Web Auto-reconnect to active / disconnected sessions enabled by default By default, “Connect” and “Disconnect” buttons are not available in Receiver for Web Citrix Confidential - Do Not Distribute

Workspace Control – Store
Disconnect Apps available Citrix Confidential - Do Not Distribute

Disconnect Apps available Closing Citrix Receiver will prompt user to close all apps Citrix Confidential - Do Not Distribute

Disconnect Apps available Closing Citrix Receiver will prompt user to close all apps Closing all apps will set the ICA sessions to “disconnected” state Citrix Confidential - Do Not Distribute

Workspace Control – Receiver for Web
Auto-reconnect to active / disconnects apps enabled by default Terminate active sessions at log off enabled by default Workspace Control settings available at Receiver for Web Web.config file Citrix Confidential - Do Not Distribute

Reconnect / Disconnected buttons disabled Reconnect / Disconnected buttons enabled Citrix Confidential - Do Not Distribute

To enable Reconnect / Disconnect buttons, modify web.config file under Receiver for Web Citrix Confidential - Do Not Distribute

Remember… For Internet Explorer browsers, add site to Trusted Sites or Local Intranet For Internet Explorer, Chrome, Safari or Firefox browsers make sure the ActiveX, extension or plugin is enabled Citrix Confidential - Do Not Distribute

Lab 4 – Workspace Control

Branding / Customization

Customization No UI customization via Console CSS customization contrib\custom.style.css JavaScript customization contrib\custom.script.js String customization contrib\custom.wrstrings.<lang-code>.js New language pack Load extra culture files in custom.script.js Customization is not available for Windows Receiver (Self-service) UI on Storefront Services 1.0 (formerly Receiver Storefront). Citrix Confidential - Do Not Distribute

Example - Customization

Example - Customization
Open and modify Custom.Style.css file Add the parameter: body {background-image:none; background- color:black} Citrix Confidential - Do Not Distribute

Lab 5 – Branding / Customization

Troubleshooting

Event Logs StoreFront Services record events on Event Viewer on Windows It is no longer under Event Viewer > Applications New location: Event Viewer > Applications and Services Logs > Citrix Delivery Services Citrix Confidential - Do Not Distribute

Useful Tools Microsoft Event Viewer IIS Logs Microsoft .NET tracing Microsoft DebugView Fiddler Live HTTP Headers Wireshark Microsoft NetMon Citrix Confidential - Do Not Distribute

Document Management Category Tracking Information Company:

Similar presentations

Presentation on theme: "Document Management Category Tracking Information Company:"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Document Management Category Tracking Information Company:

Similar presentations

Presentation on theme: "Document Management Category Tracking Information Company:"— Presentation transcript:

Similar presentations

About project

Feedback