Partly based on Citrix Docs Configure Citrix Gateway Session Policies for StoreFront.
CTX227054 NetScaler Gateway, StoreFront and XenDesktop Integration Communication Workflow contains packet traces of the ICA Proxy, StoreFront, and XenDesktop communication flows.
YouTube video Citrix NetScaler Gateway and StoreFront Integration Whiteboard.
HOW TO CONFIGURE THE CITRIX RECIVER TO USE A PROXY DOWNLOAD
In Windows, Receiver Self-Service can download icons from StoreFront and put the icons on the client device’s app launcher (Start Menu and/or Desktop) without needing to actually open the Receiver Self-Service window.
In Windows, Receiver Self-Service is the user interface that you can open from the Receiver / Workspace app systray icon.
In all operating systems, Receiver Self-Service is the user interface that opens when you launch Receiver or Workspace app from the app launcher.
Receiver Self-Service – native user interface built into Receiver / Workspace app that connects to an XML-based API hosted on Citrix StoreFront.
connecting to the Receiver for Web website hosted on Citrix StoreFront. Both user interface options rely on a connection to StoreFront. ICA Proxy is configured differently for each user interface. There are two user interface options for connecting to Citrix Virtual Apps and Desktops (CVAD).
DTLS-encrypted (UDP) port 443 is also an option – UDP protocol for ICA traffic performs better than TCP on high latency links.
If the traffic is ICA protocol, then ICA Proxy uses a Secure Ticket Authority (STA) server to authenticate the connection, and then forwards the unencrypted ICA traffic to the VDA.
The address of the StoreFront server is defined in a Session Policy/Profile on the Published Applications tab.
If the traffic is HTTP protocol, then ICA Proxy forwards it to Citrix StoreFront.
ICA Proxy decrypts the traffic and inspects it.
Both HTTP and ICA are proxied through a single TLS-encrypted port 443.
Sometimes Citrix Gateway is deployed in front of StoreFront just for the additional authentication options that Citrix Gateway provides.
Citrix Gateway has more authentication options than StoreFront.
Citrix Gateway supports many different authentication methods, including: LDAP, RADIUS, SAML, OpenID Connect, nFactor, Client Certificates (Smart Cards), etc.
The “single IP address” feature is also sometimes useful internally, especially if there’s any Network Address Translation between internal subnets, or if the Citrix VDAs are protected behind an internal firewall.
All communication from all external Citrix clients to all internal StoreFront servers and all internal VDAs is proxied through the one IP address.
ICA Proxy only exposes a single IP address to the user.
Other Gateway features include: SSL VPN, Unified Gateway, RDP Proxy, PCoIP Proxy, etc.
ICA Proxy is just one of the features that Citrix Gateway supports.
ICA is a display protocol similar to RDP protocolĬitrix Gateway has an ICA Proxy feature that authenticates the user, proxies HTTP traffic to StoreFront, and then proxies ICA traffic to VDAs.
ICA connection directly to a Citrix Virtual Delivery Agent (VDA).
User interface that displays a list Citrix published icons.
Here’s a high level overview of internal connectivity from client devices to Citrix Virtual Apps and Desktops (CVAD):
HOW TO CONFIGURE THE CITRIX RECIVER TO USE A PROXY FULL
2018 Feb 8 – in Gateway VServer > TCP Profile section, added link to Citrix CTX232321 Recommended TCP Profile Settings for Full Tunnel VPN/ICAProxy from NetScaler Gateway 11.1 Onwards.
HOW TO CONFIGURE THE CITRIX RECIVER TO USE A PROXY HOW TO
2018 Mar 11 – in the View ICA Connections section, added info from CTX232581 How to View Active Users Sessions Connected to Specific NetScaler Gateway vServers.
2018 Apr 7 – in the NetScaler Gateway Virtual Server section, added EDT MTU/MSS info from EDT-Adaptive Transport with Azure Netscaler at Citrix Discussions.
Gateway Virtual Server – added info from CTX231916 NetScaler Takes 3-4 Minutes to Mark STA as DOWN.
2018 Oct 7 – updated screenshots for Citrix Gateway 12.1.
2018 Oct 13 – new Logoff is Successful section with Responder Policy from Storefront 3.15 “Logoff Is Successful” at Reddit.
2018 Dec 20 – updated screenshots for Citrix Gateway instead of NetScaler Gateway.
2020 Sep 7 – new Traffic Policy section for ADC 13.0 build 64.35.
Citrix Gateway Virtual Server for ICA Proxy and StoreFront.
Session Policies/Profiles for ICA Proxy and StoreFront.
Citrix Gateway is the new name for NetScaler Gateway. Citrix ADC is the new name for NetScaler. The server is currently unable to handle the request due to a temporary overload or scheduled maintenance, which will likely be alleviated after some delay.This article applies to Citrix Gateway 13.0, Citrix Gateway 12.1, and NetScaler Gateway 12.0. Unable to add HTTP stores when using Proxy.ĪuthManSvr,_#dotNet#_,0,1,CDF_NET_INFO," CWindowsNetworkServices::TryGetIEProx圜onfigForCurrentUser",""ĪuthManSvr,_#dotNet#_,0,1,CDF_NET_INFO," ",""ĬitrixReceiver,_#dotNet#_,0,9,CDF_NET_INFO," response: status=503