Let’s suppose you would like to make a single URL available for your users to access a storefront store from both internal and external public networks.
To accomplish this I suppose you already have a Storefront and a Netscaler in place.

This type of setup requires an SSL certificate with (subject alternative names specification or simply a wildcard certificate) with an exportable key for import to the Netscaler appliance.
the certificate should contain the URLs explained below:

to go further with this, we need to consider some FQDNs to work with. Let’s suppose that our intention is to use the following URLs to configure this:
External DNS (url accessed by users from public networks): Example: “login.envokeit.com”
Internal DNS (url accessed by users from corporate network):  Example:login.envokeit.com” (This resolve to the storefront load balancer or single StoreFront server IP if a Storefront cluster is not available)
An internal callback URL: Example: “ns-callback.envokeit.com” that should resolve to an internal gateway vServer VIP located on the Netscaler. Make sure that you have an extra access gateway VIP for this purpose. This will also be configured on Storefronts Netscaler gateway authentication settings as per the Picture below…

 

callback-nsns

 

 

 

 

 

 

 

Finally we need an additional internal URL “accounts.envokeit.com” (a DNS alias for login.envokeit.com”) that should resolves to the load balancer IP for the StoreFront cluster or a single StoreFront server IP.

So here are all Three URL:s we need:

login.envokeit.com (URL that resolves to the load balancer IP for the StoreFront cluster or a single StoreFront server IP) – This is also the base URL on Storefront


ns-callback.envokeit.com (URL that resolves to the internal gateway vServer VIP located on the Netscaler
accounts.envokeit.com (a DNS alias for login.envokeit.com”) that resolves to the load balancer IP for the StoreFront cluster or a single StoreFront server IP if you are using just one Storefront server.

Make sure that you configure split-view DNS is correctly, due the source address of the DNS request should send the client to the correct DNS A record.
When clients roam between public and corporate networks, their IP adress should change, depending on the network to which they are currently connected, they should receive the correct A record when they query the url: login.envokeit.com

Well, we do face two different scenarios depending on which access gateway mode we prefer to use: Basic “Ica Proxy” or Smart Access “CVPN”

 


CVPN Netscaler Configuration Case

If you use SmartAccess, enable smart access mode on the NetScaler Gateway vServer properties. Universal Licenses are required for every concurrent user who accesses remote resources.

Make sure ICA Only is not ticked
ica-proxy-ns

 

 

 

CVPN – Configure a native receiver session profile with following settings:

Client Experience tab:

Clientless Access: ON
Client Access URL Encoding: Clear
Clientless Access Persistent Cookie: ALLOW
Plug-in Type: Windows/Mac OS X

Published Applications settings:

ICA Proxy: OFF
Web Interface Portal Mode: NORMAL
Single Sign-On Domain: envokeit
Account Services Adress: https://accounts.envokeit.com/Citrix/Roaming/Accounts

Also add the URL “https://accounts.envokeit.com/Citrix/Roaming/Accounts” as an additional <allowedAudiences> in the authentication and roaming web.config files on the StoreFront server, located here: C:\inetpub\wwwroot\Citrix\Authentication\web.config and C:\inetpub\wwwroot\Citrix\Roaming\web.config

<allowedAudiences>
<add name=”https-login.envokeit.com” audience=”https://login.envokeit.com/” />
     <add name=”https-accounts.envokeit.com” audience=”https://accounts.envokeit.com/” />
</allowedAudiences>

 

CVPN – Configure a receiver for web session profile with following settings:

cVPN mode is not supported by Citrix with StoreFront with Receiver for Web, but you can make it work with a workaround. In this case let’s stick to the supported scenario by Citrix.

 


ICA Proxy Netscaler Configuration Case

Make sure ICA Only is ticked

ica-proxy-ns-2

 

 

ICA Proxy – Configure a receiver session profile with following settings:

Client Experience Tab:

Clientless Access: OFF
Client Access URL Encoding: Clear
Clientless Access Persistent Cookie: DENY
Plug-in Type: Java

Published Applications settings:

ICA Proxy: ON
Web Interface Adress: https://login.envokeit.com
Web Interface Portal Mode: NORMAL
Single Sign-On Domain: envokeit
Account Services Adress: https://login.envokeit.com

 

ICA Proxy Configure a receiver for web session profile with following settings:

 

Client Experience Tab:

Home Page: https://login.envokeit.com/Citrix/EnvokeITAppStoreWeb
Clientless Access: OFF
Client Access URL Encoding: Clear
Clientless Access Persistent Cookie: DENY
Plug-in Type: Windows/MAC OS X

Published Applications settings:

ICA Proxy: ON
Web Interface Adress: https://login.envokeit.com/Citrix/EnvokeITAppStoreWeb
Web Interface Portal Mode: NORMAL
Single Sign-On Domain: envokeit

 


 

Citrix Receiver attempts to contact beacon points and uses the responses to determine whether users are connected to corporate internal or public networks. When a user accesses a published desktop or application, the location information is passed to the server providing the resource so that appropriate connection details can be returned to Citrix Receiver. This ensures that users are not prompted to log on again when they access a published desktop or application.

Now we need to manually set the internal beacon to the accounts alias (accounts.envokeit.com) and it must not be resolvable from outside the gateway. This FQDN must be distinct from the external beacon that is shared by the StoreFront base URL and NetScaler Gateway vServer (login.envokeit.com). DO NOT use the shared FQDN, as this creates a situation where both the internal and external beacons are identical and it will cause receiver enrollment issues.

beacons-sf

 

 

 

 

 

 

 

 

 

 

 

 

Don’t forget to enable remote access for the store.
That’s it 🙂