Configure Citrix Gateway Session Policies for StoreFront
This article describes how to configure a Citrix Gateway domain only authentication with StoreFront for users who are using Citrix Workspace app or a web browser.
Minimum requirements
Citrix StoreFront 2.x or 3.0
Citrix ADC 10.5 and higher
Citrix Workspace app for Windows 4.x
Citrix Workspace app for Mac 11.8
Web browser (Citrix Workspace app for Web)
Authentication configured on the Citrix ADC appliance as outlined in CTX108876 - How to Configure LDAP Authentication on a Citrix ADC appliance
SSL Certificates configured for StoreFront Server and Citrix Gateway. For details on the following topics, seeStoreFront Documentation.
- Install and set up for StoreFront 2.6
Windows 2012 Server Certificates
To add an SSL binding to a site
Installing and Managing Certificates for Citrix ADC appliance 10.5
Configure Citrix Gateway with StoreFront
Create a session policy for web browser based access
To create session policy, navigate toCitrix Gateway > Policies > Session.
In theSession Policiesfield, clickAdd.
In theNamefield, type the name of the Session Policy. For example, Web_Browser_Policy.
![Add session policy]()
Type in the name of the new Session Profile in theConfigure Citrix Gateway Session Profilewindow.
![Session policy details]()
You can check theOverride Globalcheck boxes under all tabs to overwrite the inherited values from the global Citrix Gateway parameters. In the configuration example, details about only the mandatory parameters are included.
In theClient Experiencetab, enable the following settings:
Clientless Access: set toOn
Single sign-on to Web Application: Select the check box
Plug-in Type: Set toWindows/MAC OS X
![Client experience tab settings 1]()
In theSecuritytab, enableDefault Authorization Actionsand set it toALLOW.
![Security tab settings]()
In thePublished Applicationtab, enable the following settings:
ICA Proxy: Set to ON.
Web Interface Address: FQDN of the StoreFront server followed by the path to the store for web
Single Sign-on Domain- NetBIOS name for the domain
![Published applications tab settings]()
ClickCreate.
If you are using a Classic Policy expression, in theExpressionfield, add the following information and clickCreate.
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver![Classic policy sample]()
If using an Advanced Policy expression, in theExpressionfield, add the following information and clickCreate.
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT![Advanced policy sample]()
This policy is needed for the Citrix ADC to differentiate between web browser based and Citrix Workspace app based connections. This policy is applied to web browser based connections.
Create a session policy for Citrix Workspace app for Windows or Mac, and Mobile Devices on Citrix Gateway
Navigate toCitrix Gateway > Policies > Session.
In theSession Policiesfield, clickAdd.
In theNamefield, type the name of the session policy. For example, Receiver_Policy.
![Add session policy]()
Type in the name of the new session profile in theConfigure Citrix Gateway Session Profilewindow.
![Session policy details]()
In theClient Experiencetab, enable the following settings:
Home Page: Set toNone
Split Tunnel: Set toOFF
Clientless Access: Set toOn
Single Sign-on to Web Application: Select the check box
Plug-in Type: Set toJava
![Client experience tab settings]()
In theSecuritytab, setDefault Authorization ActionstoALLOW.
![Security tab settings]()
In thePublished Applicationtab, enable the following settings:
ICA Proxy: Set to ON.
Web Interface Address:FQDN of the StoreFront server followed by the path to the store
Single Sign-on Domain:NetBIOS name for the domain
Account Services Address:Enter the account services address. The last back slash is important. For example,
https://accounts.example.com/Citrix/Roaming/Accounts
![Published Application tab settings]()
ClickCreate.
If using a Classic Policy expression, in theExpressionfield, add the following information and clickCreate.
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver![Classic policy sample]()
If using anAdvanced Policy expression, in theExpressionfield, add the following information and clickCreate.
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")![Advanced policy sample]()
This policy is needed for the Citrix ADC to differentiate between the web browser based and Citrix Workspace app based connections. This policy is applied for Citrix Workspace app based connections.
Configure authentication on the Citrix ADC appliance
For information about configuring LDAP authentication on a Citrix ADC appliance, seeConfiguring LDAP Authentication.
Create Citrix Gateway virtual server and bind the session policies
Navigate toCitrix Gateway > Virtual Serverand clickAddto add a new virtual server.
After the virtual server is created, bind the specific session policy to the virtual server based on your company’s requirements.
Configure authentication for StoreFront
Enable the pass-through authentication from Citrix Gateway on StoreFront. For more information, seeConfigure the authentication service.
StoreFront must trust the issuer of the Citrix Gateway virtual server’s bound certificate (Root and or Intermediate certificates) for the Authentication Callback service.
Add Citrix Gateway to StoreFront. For more information, seeAdd a Citrix Gateway connection.
门户URL必须完全匹配的sers are typing into the web browser address bar.
Enable remote access on the StoreFront store. For more information, seeManage remote access to stores through Citrix Gateway.