Self Service Plugin / StoreFront / Merchandising Server / Citrix Access Gateway (Part3)


Welcome back, in this part I’m going to talk about the configuration between the CAG and StoreFront server. While I’m typing this blog there are some new releases. First off all the new version of the Receiver Storefront is v1.1. And there are new Citrix Receivers clients for OSX and Windows. All of my testing is done with the new versions. (As of April 2012)

I want to point out that this blog is how-to configure the StoreFront and the CAG (VPX) without the Self Service Plug-In (that blog comes later). What I’m going to show is how users connect to the environment with the help of a webbrowser (So only the Storefront StoreWeb site).

The CAG is using two network adapters. One connected to the internet and one connected to the internal LAN (And off course you should use an FireWall between the LAN and DMZ but that one is not present here Winking smile) Here’s the NIC configuration of the CAG:


UPDATE: Change the CAG hostname to the name on the certificate Winking smile

Now we create a LDAP Authentication profile. I want my users to authenticate at the CAG and to pass-through this credentials to the StoreFront Express server. Here’s my configuration:


Now we are going to create a basic-logon point which show the StoreFront StoreWeb website.


And the Website Configuration:


Don’t forget to tick the SSO checkmark and don’t tick the: Authenticate with Web Interface checkmark. Winking smile Because we want to authenticate at the CAG.

Now we switch over to the StoreFront Express machine and open the Citrix Receiver StoreFront Management Console.

In the authentication section we can choose 3 types of authentication. In this scenario only 1 is used. Enable the Pass-through from Citrix Access Gateway method.


And add a trusted domain, in my case the LAB domain. If you want to create a website for the internal users, then enable the: User name and password method.

I’m assuming that the Store is already configured. Winking smile So go to the beacons section. Add some external beacons. Beacons are used to determine if users are in an internal or external LAN.


Go to the Gateways section and add the Gateway Server.

The name must match the name configured at the CAG and must match the name on the SSL certificate. The gateway url is the logon point we created in the CAG. In my case the logon point has the name: lab


The silent authentication is to authenticate users from an external network. Give your FQDN of the CAG here.


The StoreFront Express server must access the CAG on the internal NIC by it’s FQDN. So update your DNS or (in my case) edit the HOSTS file on the StoreFront Express server.

Go to the Stores section and enable Remote Access on your Store. Select your Gateway server.


Now we have a fully functional StoreFront Express website which is accessed though the CAG. Users authenticate at the CAG and are then taken to the StoreWeb website. The same as the old Citrix Secure Gateway and WebInterface worked. Keep in mind that I didn’t enable the pnagent xml file and the discovery/activation file isn’t working. So my Self Service Plugin generates an error. Winking smile

If you receive this error: (Cannot complete your request. Could not log off from Access Gateway. Please close your browser to log off.)


Then don’t forget: The StoreFront Express machine needs to access the CAG at his internal NIC by his FQDN (change DNS or edit HOSTS file).

In part 4 I’m going to enable the Self Service Plugin with the StoreFront and CAG. At the moment, this is not working like it should be Sad smile So please be patient.

Part 1:

Part 2:

31 thoughts on “Self Service Plugin / StoreFront / Merchandising Server / Citrix Access Gateway (Part3)

  1. Hi Jeroen.

    Great blog ! Some really helpful information in there.
    I was wondering about the progress you’re making with part 4 (self service and StoreFront).
    I’m trying to get this to work myself, but have some problems.

    I installed Receiver 3.2 on Windows 7. Filled in the URL to the Store (Receiver StoreFront 1.1). In the system tray click right on the Receiver icon and choose ‘Open’. Now the ‘build in’ self service part of Receiver starts and tries to connect to the store.
    It takes a while (It say’s Connecting…). After a while I always get the message ‘There are no apps available ….’. Even if I try to connect with the build in Administrator account of Windows 7.

    If I use the Receiver for Web (Storeweb URL in the browser) everything works fine. So store configuration looks OK.

    Have you any idea what the problem might be ?

    1. Chris, I’ve got the same problems. Can’t get It to work. It frustrates me 😉 But local (on the LAN) it works like a charm. But over the WAN through the CAG is doesn’t.

      1. Hi Jeroen.
        I can’t get it to work over the LAN.
        Windows 7, StoreFront, XA and XD all in the same VLAN.

        Trying to get it to work via Access Gateway 5.0 VPX would be the next step.

      2. Hi Jeroen.

        I have the combination Native Receiver, Access Gateway VPX, Storefront 1.1, XA/XD working. Receiver is configured with 1 URL and works from the LAN (direct access to Storefront) en from the internet (access via Access Gateway). Receiver goes through Access Gateway only if needed. Cool !

        There is one ‘mis-configuration’ in you post ‘Self Service Plugin / StoreFront / Merchandising Server / Citrix Access Gateway (Part3)’. In the configuration of the website on the Access Gateway you configure the Address ‘http://storefront.lab.local/citrix/storeweb’. This should be ‘http://storefront.lab.local’. The home page is configured correctly.

        I’ve got this input from a great post on the Citrix forum:

        Second point is that you should configure your Receiver 3.2 (with the build in SSP) via the Receiver for Web. So go to http://storefront.lab.local/citrix/storeweb and click the Activate button. This configures not only the Receiver with the right store. It also configures the Receiver with Access Gateway options. These Access Gateway options can’t be configured via Receiver of Merchandising. See the same post on the Citrix forum.

        Hope you find the time to test this and continue with part 4 of this helpful BLOG

        1. Got it working. I had already tried everything (including changing the address). Upgrading the receiver from 3.1 to 3.2 solves the problem.

          Part 4 is coming soon 😉 Thanks for the help Chris.

  2. Do you have the correct authentication profiles enabled (enable all for testing). Then fill in the correct beacons. Go to the receiver for storefront website and use the activate button on the left bottom.

    Edit 1: In this blog post I only enabled the passthrough from the CAG, but for internal access you need to enable the: Username and password.

    Edit 2: My store url for internal citrix receivers is: https://fqdn_storefront_server/citrix/store/discovery
    If you want, I can make a blog post about this. 😉

  3. Jeroen,

    Great article! Helped me coming closer and closer to my endlosung…
    But where I am stuck is this:

    Used the CAG 5 VPX on the DMZ and Citrix Receiver Storefront on the LAN, and offcourse my XenApp server. When setting up the CRS on the LAN everything works like a charm, loggin on to the portal and using the apps.
    The problem comes when using the CAG. When I logon to the CAG as a user from outside I can also logon to the CSR portal. But when I try to open an app nothing happens. The circle of loading the app circles around but that’s basically it.
    I have redone the entire setup over and over, used http instead ot https on the CSR (maybe it;s a SSL thing), with basic or smartportals, nothing works.
    Do you have any clue as in what that could be?


    1. Sjoerd, do you open the app in the website or from the citrix receiver itself (self service)? Is ‘remote access’ enabled? And can the storefront server access the CAG on the FQDN and does it point to the internal ipadres of the CAG?

  4. Sjoerd, do you open the app in the website or from the citrix receiver itself (self service)? From the storefront website that is provided through the CAG.
    Is ‘remote access’ enabled? Yep
    And can the storefront server access the CAG on the FQDN and does it point to the internal ipadres of the CAG? Yes remote and local the CAG can be accessed, but the Storefront server accesses the CAG using the internal IP from the LAN side of the CAG.

  5. Hi Sjoerd.

    The configuration of Storefront / AG / Receiver is pretty ‘straight forward’, but it listens very close. So one very small detail configured wrong and everything stops.

    If you logon to Storefront from the LAN everything works. You can logon, and apps start.
    If you logon to the AG, you can logon, you see the apps, but the apps don’t start.

    Can you give some more details on the configuration of your AG ? Configuration of the logon point ?
    Configuration of XenApp and XenDesktop (within the AG) ?
    Of course you can give dummy names and IP addresses 😉

      1. Hi Sjoerd.
        Very detailed overview of your configuration. I looked through it in a glimpse, but will study it in more detail later on.
        Two points of interest:
        You’ve configured AG with one interface in DMZ and the other in LAN. That’s not the way I did it. I have both interfaces in DMZ. Communication from AG (in DMZ) to Storefront (in LAN) if via the firewall. This setup is easier, because there is no discussion on were the gateway (from the AG 😉 should be (in your case the gateway is in DMZ, in my case the gateway is in DMZ (like all the other interfaces)).
        So you could try to change the gateway to an address in LAN and see what happens, or try it with the easier configuration as I did. Once this easier configuration works you can start playing around with interfaces on the AG.

        You configured the Storefront to use HHTP (port 80). At the end of the document you say the firewall between AG and Storefront is HTTPS (port 443). Is this a typo or…
        If you use the AG in the way you do, there is no need for a hole in the firewall between DMZ and LAN. The AG has one leg in DMZ and one leg in LAN and can ‘bypass’ the firewall( send traffic from DMZ to LAN). You also have to make sure that ‘return traffic’ from your Storefront doesn’t end up in your firewall, because the firewall doesn’t know were the initial traffic came from. The initial traffic never passed the firewall and the firewall will drop the ‘return traffic’.
        If you go for the easier setup I used, than you do need the hole in the firewall and in your case it should be port 80.

        Maybe this points you already in the right direction.

        1. Hi Chris,

          Exactly. The CAG must reside in the DMZ with both NIC’s. Then the default gateway should be the internet facing NIC and the LAN traffic should go over the other NIC making use of the Static Routes in the CAG.

      2. EDIT: Oops you already did this, I read over it 😉

        Hi Sjoerd,

        Thanks for the very detailed information.

        Two things:

        1. Do you have the STA (Secure Ticket Authority) configured in the CAG?
        2. Is ICA ACL configured in the CAG?

        I will try to make screenshots ASAP.


        The IP: is my XenApp Data Collector. Adding the STA the fastest way to get everything working is just reboot the CAG 😉 Check if the identifier is present after the reboot. 😉


        The to is just for testing purpose.. 😉
        ICA ACL

        1. Thanks guys! I will test some more this weekend or next monday/tuesday. Tomorrow it’s one meeting after the other.
          I will setup the AG with the both-nix-in-DMZ scenario, open up the firewall and try again. Also much more secure and have a better feeling about that.


  6. OK, I just put the CAG with both NICs in the DMZ. Opened up a lot of holes in the Firewall. Check the doc:

    However that still did not solve the issue.
    When I click on one of the apps the little circle, circles and then… nothing. Grrr.
    Also no .ica file is being delivered.
    If I use Chrome however it redirects me to the error “Cannot complete your request. You can log on and try again, or contact your help desk for assistance. Could not log off from Access Gateway. Please close your browser to log off.

    I’m clueless at this point.

    1. Just proved it to be a CAG thing, because on another DMZ webserver (on the same network as the CAG, with access to port 80 from Storefront) I can successfully logon.
      Any help would be really appreciated!

      1. I did some research and noticed that people that have this issue use HTTPS on the storefront. That was my first approach but this failed on the certificate.
        Just reinstalled the storefront server with SSL and bought a new SSL certificate because I was thinking that it just could be an SSL thing. That the CAG NEEDS https to the storefont server.
        Now I got this working but still have the same problem as described above.
        I turned on the logging on the firewall and what I notice is that everyone is mentioning that the storefront server needs to access the CAG on the internal ip, yet I do not see this traffic passing the firewall.
        This is the logging:

        1. Sjoerd,

          What I did:

          1. Install a certificate authority server in the LAN;
          2. Request a certificate for the SF server on the local certificate server;
          3. Now the local LAN users can access the SF server by HTTPS;
          4. Import the root certificate from the ca into the CAG;
          5. Now the CAG trusts certificates from the local CA and can access the SF by HTTPS.

          Hope this gives you a kick in the right direction.

          If this is the solution, I will update/extend my post 😉

  7. It’s not just the SSL certificates for theCAG, keep in mind that for using the CAG, your Receiver for Web will authenticate credentials as well with the CAG. This is set up through the silent authentication and uses HTTPS. The certificate of the CAG must therefore be installed on the StoreFront server as well (in the local computer physical store).

    At least that solved my issues.

    1. But if you use an official certificate on the CAG then the SF server will normally accept the CAG certificate. For the certificate on the SF server, just create your own by a local CA.

  8. I have an official certificate on the CAG and SF server. Both from a different vendor. The CAG has a wildcard certificate and because I though that this was one of the issues I just bought a new cheap normal certificate for the internal SF server.
    I can see that when I try to logon three events occur in the Citrix Delivery Service event log on the SF server.
    The first is the one pointing me in the direction you guys also do:
    “The gateway cag is untrusted”.
    Why does the SF server say it is untrusted? IE on this machine has no issues opening the CAG portal.
    Should I now go ahead installing a CA internally? Is this a complicated job? Never done this before….

  9. EUREKA!
    Finally got every piece of the puzzle complete.
    Latest changes:
    After getting this event error on the StoreFront server:

    An error: FailedInvalidGateway was reported for store ‘Store’ when finding the matching gateway from the list: [Cloud CAG] for this request:
    Remote Address:
    X-Citrix-Via: cag
    I was thinking that there is something misconfigured. And yes….
    On the Networking tab of the CAG the hostname was not correctly filled. It contained ‘cag’, not the FQDN.
    Second since both nics are on the DMZ network, I needed to check them both correctly. So eth0, internal, check and eth1, external, check.
    O yeah, also: on the STA config I put the FQDN of the internal XenApp server, BUT the CAG could not resolve this….

    I will update my documentation for reference later. Been working on this from this morning 10 AM….


    1. To be honest. I did see that in your documentation. But thought you edited that name to mask your FQDN.

      But great that it worked. Cool.

      Nice to see that the community is helping each other. At synergy we will drink some beers 🙂

    2. Sjoerd,

      A million thanks, if I ever have the chance to meet you I will buy you a drink. I worked through what appears a very similar set of steps you, but I stumbled on this final hurdle. I had my hostname configured incorrectly on the VPX device.

      Thanks to Jeroen as well, your guide invaluable in getting this going, the Citrix docs tend to focus on the AGEE.


  10. Hello! This iss kind of off topic but I need some help from an established blog.
    Is it hard to set up your own blog? I’m not very techincal but I
    can figure things out pretty quick. I’m thinking about creating my own but I’m not sure where
    to start. Do youu have any points or suggestions? Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top