NetScaler Unified Gateway / SSO with Citrix StoreFront 3.9 and Client Access Mode

Been working on deploying the NetScaler Unified Gateway for the last few weeks. Our goal is to simply create a unified page to access internal resources such as Outlook Web Access, Intranet, ShareFile, as well as XenApp/XenDesktop resources running on the new version of Citrix StoreFront 3.9.  As a side note, I will be posting my customization code on StoreFront 3.9 in the coming weeks.

First let me discuss (again) about an issue I noticed with version of NetScaler NS11.0 running when working with Content Switches and ZeroIP NetScaler Gateways.

I ran into a bug that crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP).  Meaning, that I was binding a profile policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is.

This bug is has been fixed from 11.0 Build 64.x and later, and 11.1.  In my case I upgraded to the now latest version of 11.0 70.12nc.

Lets get started:

On your StoreFront server, make sure that the Enable Remote Access setting for the store is set to No VPN or Full VPN tunnel


In the web.config file, located in drive:/inetpub/wwwroot/citrix/storeweb, make sure to set X-Frame-Options to allow and Content-Security-Policy to frame-ancestors ‘self‘. You will see 3 entries for this.  Make sure you change them all.  This will allow the page to come up with all browsers including IE.  Once the changes are made, simply reset IIS or reboot your SF server(s)


On the NetScaler Session Profile the following settings are required:


  • On the Client Experience tab:
    Clientless Access = ON
    Single Sign-on to Web Applications = Checked
    Credentials Index = Primary

    On the Security tab:
    Default Authorization Action = Allow

    On the Published Applications tab:
    ICA Proxy = OFF
    Web Interface Address = https://serverFQDN/Citrix/StoreWeb (StoreWeb is the actual store name).
    Single Sign-on Domain = Configured


Make sure you use the FQDN link to your storefront server.  You can run into an issue within Clientless Access mode not displaying the Storefront Server page if you configure to an IP.


Once changed to FQDN the page displayed successfully (Ex:


This is a sample of the session profile I manually created and binded to the session policy the UG Wizard created.

add vpn sessionAction UG_VPN_SAct_dmz -defaultAuthorizationAction ALLOW -SSO ON -windowsAutoLogon ON -wihome “” -wiPortalMode COMPACT -ClientChoices ON -ntDomain name_of_domain -clientlessVpnMode ON -emailHome “”

Optionally, you can bypass the Client Choices option on NetScaler Unified Gateway with a Responder policy.  This way users wont have to click on the Client Access option, but instead be redirected to it after user log on.


To do this:

Create a Responder action based on the URL your users will be connecting to

add responder action ug_redirect_ac redirect “\”\”” -responseStatusCode 302

Create a Responder policy, notice it is looking for that choices.html page


add responder policy ug_redirect_pol “HTTP.REQ.HOSTNAME.EQ(\”\”) && HTTP.REQ.URL.CONTAINS(\”vpns/choices.html\”)” ug_redirect_ac

Bind the Responder policy to the NetScaler Gateway the UG config creates.  In my case it is called UG_VPN_ug_gtw_dmz


bind vpn vserver UG_VPN_ug_gtw_dmz -policy ug_redirect_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Once the policy is binded, users will simply be redirected to the “Clientless Access” portion of the site without being prompted to select VPN, Clientless Access, or good old StoreFront/Web Interface

That is it! Hope this helps!  Cheers :)


I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Customizing Citrix StoreFront 2.6 including Pre-Login message page

Here are my StoreFront customizations for Citrix StoreFront 2.6.  Many are similar to previous version of SF, however some of the syntax changed.

There are some good improvements/features SF 2.6 brings, one that I like and works best where I currently work is the Web Folder View, which in the past had to be done by running StoreFront in lock down mode.  This new view can certainly help your users feel more comfortable when moving from Web Interface.

Fist take a look at the new features of StoreFront which are listed under this link from Citrix.

Secondly I would like to thank Sam Jacobs which provided some of his code he presented at Citrix Synergy 2014.  You can view the presentation here 


  • Windows 2008 R2
  • Citrix XenApp 6.5 Hotfix Rollup Pack 2
  • PVS 6.1.16
  • StoreFront 2.6
  • Citrix NetScaler 10.1 build 122.17

Customizations: (All custom files will need to be created under the contrib folder is located under the SF site in the file system (typical location is C:inetpubwwwrootsitesCitrixStoreWebNamecontrib

The following customizations include the following

  • Pre-Login message page
  • Front Page with custom logo and title header
  • App/Desktop page with custom logo, user client IP (For NetScaler load balancing make sure to use X-Forwarded-For to load balance your StoreFront servers, utilizing CLIENT-IP for your VIP will return the SNIP of your NetScaler as the source IP for the user client IP module :P)
  • Apps/Desktop Tab on top with Disable user multiclick
  • Page footer




Back up the original files under C:inetpubwwwrootsitesCitrixStoreWebNamecontrib


1. Overwrite the following files

  • custom.wrstrings.en.js
  • custom.script.js

2. Create new files

  • GetServerData.aspx
  • companylogo_whiteTrans.png
  • companylogo_whitetrans_small.png



(function ($) {
$.localization.customStringBundle(‘en’, {
Disclaimer: ‘Authorized Use Only’,
DisclaimerStatement: ‘You must be assigned an account to access this system.’
+ ‘ The information on this system and network is the property of this organization and is protected by intellectual property rights.’
+ ‘ By clicking the button below, you are consenting to the monitoring of your activities on the system’,
Continue: ‘Continue’

custom.script.js (You can certainly change the way I am working with $(document).ready(function() { and clean it up a bit

// StoreFront customizations

// Replace title
document.title = ‘Remote Access’;

// Place Apps/Desktop Tab on top
$(document).ready(function() {
$(“#resources-switcher” ).detach().appendTo(“#resources-header” );

// Disable User Multi Click 😛
$(document).ready(function() {
CTXS.Resources.multiClickTimeout = 10;

// Display client IP and StoreFront server
url: ‘contrib/GetServerData.aspx?serverData=clientIPandServerName’,
success: function(data) {
var $markup = $(‘<div id=”server-info”>’ + data + ‘</div>’);

// Logon page footer text

// $(document).ready(function() {
// var $footercontent = $(‘<div id=”authentication-footer”><div id=”authentication-copyrightfooter”> <p id=”authentication-copyrightFooterText”></p></div></div>’);
// $footercontent.insertAfter(‘#logonbelt-bottomshadow’);
// });

// $(document).ready(function() {
// $(‘#authentication-copyrightfooter’)[0].innerHTML =
// ‘<p>&copy;2014&nbsp; Access restricted to authorized users.</p>’;
// });

// application page footer text

$(document).ready(function() {
$(‘#copyrightfooter’)[0].innerHTML = ‘<p>&copy;2014&nbsp; Name of your company</p>’;

// Prelogin page

$(document).ready(function() {
CTXS.Application.preLoginHook = function () {
var _dialogTitle = ‘<h1’
+ ‘ class=”messagebox-title _ctxstxt_Disclaimer”></h1>’;
var _dialogBody = ‘<div class=”messagebox-body”>’ +
‘<p class=”_ctxstxt_DisclaimerStatement”></p></div>’;
var _dialogButton = ‘<div class=”messagebox-buttons”>’ +
‘<a href=”#” class=”button _ctxstxt_Continue”></a></div>’;
var dialog = _dialogTitle + _dialogBody + _dialogButton;
var $messagePane = CTXS.displayMessagePane(dialog).ctxsLocalize();
var $button = $messagePane.find(‘.button’);
$ () {
return false;

StoreFront customizations

#credentialupdate-logonimage, #logonbox-logoimage {
background-image: url(“companylogo_whiteTrans.png”);
height: 50px;
width: 283px;

#header-logo {
background-image: url(“companylogo_whitetrans_small.png”);
height: 31px;
margin: 8px 0 0 22px;
width: 179px;

#resources-header {
height: 84px;

#resources-switcher {
padding-top: 48px;
text-align: center;

/* Help Desk info */

/* Logon labels */
#logonbox-logonform label{

/* welcome message and username */
#resources-header #header-userinfo {

#header-userinfo A {

/* for added server info */
#server-info {
color: white;
float: left;
margin-right: 40px;
margin-top: 12px;
position: relative;
vertical-align: middle;

/* EOF Help Desk info */

/* Logon page footer text
#copyrightfooter p,
#copyrightfooter a,
#authentication-copyrightfooter p,
#authentication-copyrightfooter a

/* turn off searchbox
#resources-searcharea {
display: none;


<%@ Page Language=”C#” %>

<script runat=”server” language=”C#”>

private string GetClientIP()
string ips = Request.ServerVariables[“HTTP_X_FORWARDED_FOR”];

if (!string.IsNullOrEmpty(ips))
return ips.Split(‘,’)[0];

return Request.ServerVariables[“REMOTE_ADDR”];

private string GetServerName()
// for security purposes, only return the last 2 chars
string server = Environment.MachineName;
return server.Substring(server.Length-2);

// what server data are we looking for?
string sData = Request[“serverData”]+””;

switch (sData)
case “clientIP”:

case “serverName”:

case “clientIPandServerName”:
Response.Write(“Client IP: ” + GetClientIP() +
“&nbsp;&nbsp;&nbsp;&nbsp; Server: ” + GetServerName());



Hope this helps you 🙂

StoreFront 2.0 – Customization and Default ISS site

Let me start by saying you should not consider doing an in-place upgrade of StoreFront 1.2 to 2.0.  I suggest you start with a new deployment.

Although I was able to get the upgrade working as a personal challenge, I don’t think it is a clean way to go about it.  You can read more about some known issues on this Citrix StoreFront 2.0 upgrade and install issues article

Now after you have your StoreFront 2.0 “Web Interface” servers installed… lets make some changes.  Note that the changes below will be replicated to other StoreFront servers in your Server Group, so you don’t have to make changes on multiple hosts 🙂



  • Windows 2008 R2
  • Citrix XenApp 6.5 Hotfix Rollup Pack 2
  • PVS 6.1.16
  • StoreFront 2.0

Remove “Activate”

If you are not using provisioning file to configure your Receiver, open the web.config in the C:\inetpub\wwwroot\[Store]Web\ directory

Locate the following:

<receiverConfiguration enabled=”false” downloadURL=”ServiceRecord/GetDocument/” />

Change the value from “true” to “false”


Disable Desktop auto-launch

By default, a single XenDesktop or Full Desktop XenApp will auto-launch for the user

<userInterface frameOptions=”deny” autoLaunchDesktop=”false“>

Change the value from “true” to “false”

Show Apps as default instead of XenDesktops/Full Desktop XenApp

<uiViews showDesktopsView=”true” showAppsView=”true” defaultView=”apps” />

Change the value from “desktops” to “apps”


Change Logos

Receiver for Web provides a built-in support for customization through the contrib folder. This folder is located under the Receiver for Web site in the file system (default location is C:\inetpub\wwwroot\sites\Citrix\StoreWeb\contrib) and contains the built-in customization hooks.  It is recommended that all customization code and media are stored under this folder because the content of this folder will be preserved upon upgrade to the subsequent releases.

Using the contrib folder you can upload your logos and create syntax such as below.  You will need to change height, width and margin based on your logos

#credentialupdate-logonimage, #logonbox-logoimage {

background-image: url(“company_whiteTrans.png”);

height: 64px;

width: 353px;


#header-logo {

background-image: url(“company_whitetrans_small.png”);

height: 31px;

margin: 8px 0 0 22px;

width: 179px;


Set StoreFront as the Default Page within IIS

Now… Lets set that StoreFront site as you default site, as we recall with the legacy Web Interface component, each Web site had the option to be the default page for the IIS site. This option is not available in Storefront. 😦

To make a Storefront Web site the default page within the IIS site, complete the following procedure:

  • Open Notepad and paste the following text:

    <script type=”text/javascript”>
    // –>
    : Replace /Citrix/StoreWeb to the correct path to your Store’s Web site, if required.

  • Select File > Save As and browse to the IIS folder, by default the C:\inetput\wwwroot is the IIS folder.
  • Select the Save as type to All types.
  •  Type a file name with an html extension, and select Save.

  • Open IIS Manager.
  • Select the SERVERNAME node (top-level) and double-click Default Document, as shown in the following screen shot:

  • Select Add…, and enter the file name of the .html file provided in Step 4.

  • Ensure the .html file is located at the top of the list, as shown in the following screen shot:

  • Open the command prompt and run the following command:

You can read more info on this under this CTX article

StoreFront 1.2 default tabs and desktop autolaunch

1. Control the default Tab behavior in Citrix StoreFront 1.2
2. AutoLaunch a XenDesktop or XenApp Published Desktop
12-14-2012 5-05-01 PM
Solution 1 – Control the Tabs:
Open the web.config file located by default under c:\inetpub\wwwroot\NameOfYourStore\
Locate the following:
<uiViews showDesktopsView=”true” showAppsView=”true” defaultView=”desktops” />
If you wish to change the default to Apps, simply change the syntax to the following:
<uiViews showDesktopsView=”true” showAppsView=”true” defaultView=”apps” />
Solution 2 – Automatically launch a the Desktop once the user logs in (Only works if you have a single Desktop published)
Find the following syntax and make sure the autoLaunchDesktop setting is set to true

<userInterface frameOptions=”deny” autoLaunchDesktop=”true“>

Also, don’t forget to read my previous post on how to speed up StoreFront 1.2 as it is very slow without making modifications

Disable StoreFront 1.2 Desktop auto launch feature

In the good old days of traditional Web Interface, everything you did in the GUI was reflected back in the WebInterface.conf file usually located under C:\inetpub\wwwroot\Citrix\NameOfYourSite\conf\.  After a while, there was no reason to open the GUI and making modifications to your WI became a very speedy process.  Specially when you had several WI sites.

A lot has changed with StoreFront, however you can still control many aspects of the interface by editing files inside the web installation directory since the GUI is now missing.

What I am really wondering now, is how this will play a role with the Citrix NetScaler Web Interface feature, where it allows you to import the 5.4 WebInterface.conf file directly into the NetScaler and run WI on it.  Time will tell I guess…

With StoreFront, when both desktops and applications are available from a site, Receiver for Web displays separate desktop and application views by default. Users see the desktop view first when they log on to the site. Regardless of whether applications are also available from a site, if only a single desktop is available for a user, Receiver for Web attempts to automatically start that desktop when the user logs on.

To change these default settings, edit the site configuration file.
  1. On the StoreFront server, use a text editor to open the web.config file for the Receiver for Web site, which is typically located in the C:\inetpub\wwwroot\Citrix\storenameWeb\ directory, where storename is the name specified for the store when it was created.
  2. Locate the following element in the file.
    <uiViews showDesktopsView="true" showAppsView="true" defaultView="desktops" />
  3. Change the value of the showDesktopsView and showAppsView attributes to false to prevent desktops and applications, respectively, being displayed to users, even if they are available from the site. When both the desktop and application views are enabled, set the value of the defaultView attribute to apps to display the application view first when users log on to the site.
  4. Locate the following element in the file.
    <userInterface ... autoLaunchDesktop="true">
  5. Change the value of the autoLaunchDesktop attribute to false to prevent Receiver for Web from automatically starting and accessing a desktop when a user logs on to the site and only a single desktop is available for that user.

For additional customizations of StoreFront configuration file, see this Citrix article

Speeding up the new StoreFront 1.2 (CloudGateway Express)

StoreFront 1.2 was just released on 07.31.12.  After reading it’s benefits, I figure I set it up for a POC and see how it behaves with a new XenApp 6.5 environment.  You can read on the benefits here.  The one thing I noticed, it is extra slow.

The first change comes from the Citrix Forums which dictates to disable NetBIOS over TCP/IP. To disable NetBIOS over TCP/IP, open the Advanced Properties dialog for TCP/IP on each network interface as shown in the screenshot.


Apparently, the need for NetBIOS communication is a prime contributor to the slow enumeration events. Once I made this change the enumerations were lightning fast, but the initial logon page was still slow to load.

In the old days, the sloooow logon page loading was caused by the .NET Framework not  staying resident in memory; however, with Web Interface 5.4 and IIS 7, the Idle Time Out value on the Web Interface App Pool is set correctly to 0 by default, which keeps the .NET Framework loaded. So I went looking for another solution.

I found the answer at Alexander Ervik Johnsen’s website. (Later I discovered it is also a Citrix KB article.) I made the following changes on both the Microsoft.NET\Framework and Microsoft.NET\Framework64 directories:

  1. Check in IIS for the version that is in use with the Web Interface application pool, which should be version 2.0.50727
  2. Edit the ASPNET.CONFIG file(C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.config)
  3. Add the following GeneratePublisherEvidence line to the runtime section of the ASPNET.CONFIG file as shown
    <generatePublisherEvidence enabled=”false”/>
  4. Run IISRESET for force a reread of the ASPNET.CONFIG file

Once I made those changes to the ASPNET.CONFIG file, my Web Interface login page loaded in about 3 seconds. I was quite surprised at the difference only those two changes made to the response time of the Web Interface servers.

After making the changes above the darn thing is actually ready for a POC.


How To Brand Citrix Receiver for Web

Since Citrix is officially discontinuing the Citrix Web Interface we have all loved for many years.

It seems the focus now will be on the NetScaler Web Portals and of course the new CloudGateway.  I was able to find a good article that explains how to customize the new interface.  Thanks for the Citrix fellas for putting this out.

There have been numerous requests asking how to brand Citrix Receiver for Web.  You have only to look at the Citrix Service Providers group on LinkedIn to know that this is a topic that has generated lots of interest.

Jeroen Tielen has already done a lot of the heavy lifting when it comes to branding Citrix Receiver for the Web — see his blog post on how to customize the branding:

I’m providing a step-by-step guide on how to do this, and also how to extend it.  CSPs have also said they want to provide a list of URL links, for example links to helpdesk/support sites, feedback mechanisms, etc…

In other words, let’s start with this:

The “Before” web site

And end up with something like this:

The “After” web site

Branding the Web Interface:

Let’s start by creating a new Storefront site for a white label reseller.  This also isolates all of our changes to just this new site, and so we can always revert back to the default Citrix branding.

  1. Run the Citrix XenApp Server Role Manager and then click on the Edit Configuration link for the Receiver Storefront.  This will start the MMC snap-in for Citrix Receiver Storefront.
  2. In the left-hand tree view click on Receiver for Web, and then in the far right-hand pane click on Create Website.
  3. Change the web site path to whatever you want as the URL path for your reseller.  In the screenshot above you can see I chose “/Citrix/TenantACME”.

Now that we have a new web site created, let’s take a quick look.  If you’re using a default environment you’ll see that it created a new folder at C:\inetpub\wwwroot\Citrix\TenantACME, and that within this folder there is a \css folder, a \media folder, a \scripts folder, and a \uiareas folder.  These seem promising!

Let’s start with the background.  If you’ve already read Jeroen’s blog post you’ll know the file we want to change is at C:\inetpub\wwwroot\Citrix\TenantACME\media\bg_bubbles.jpg.  Just replace that file with a different JPG image with the same name.  Here’s an example:

Citrix Receiver for Web - New Background with white text

Not bad, but the white text is a little hard to read.  We’ll start with the username/password and change that to black.

Open up C:\inetpub\wwwroot\Citrix\TenantACME\css\ in a text editor like Notepad, and do a search for “#logonbox-logonform label” (it will be near the end).  You’ll find a section of text that looks something like this:

#logonbox-logonform label{color:white;display:table-cell;font-size:12px;height:20px;vertical-align:bottom;}

All you have to do is change the part the highlighted text from “white” to “black”:

#logonbox-logonform label{color:black;display:table-cell;font-size:12px;height:20px;vertical-align:bottom;}

While you’re in that file you’ll also want to change some other things as well.  For example any messages will also be in white.  So search for “.ctxsui-messagebox{height:142px” (near the top) and change the color to black as well:


The Citrix Receiver logo is also really hard to read since it’s white.  That’s an image, so all we have to do is replace C:\inetpub\wwwroot\Citrix\TenantACME\uiareas\Authentication\media\logo_notagline.png with a different image, just like we did for the background image.  We’ll also change the “Screen_SemiTranslucent.png” image (the light bar going across the middle) and the “VerticalGreenBarOnly.png” image (the vertical bar on the far left) as well, since our background has more of a blue theme.

Our web site now looks like this:

Citrix Receiver for Web - new background with black text

This looks a lot nicer!  You can see that we branded it for the reseller with the “Provided by ACME” tagline in the logo image.  So far though we haven’t really introduced anything new.  All we’ve done is tweak some images and some minor CSS.  Now let’s tackle the fun stuff: adding links!

Adding Links on the Login Page

Before we jump in, let’s take a quick look at how the page is structured. If you’re using IE or Chrome hit the F12 key to follow along. The web page is structured as a series of nested tags. These divide the page into logical sections. It’s laid out like this:

Citrix Receiver - DOM model

You can see the major Divs, and the one that is of interest to us is “authentication”. This is the only Div that is visible initially (the others are set to “display:none”).  The way this page works is that it toggles these Divs on or off – for instance after you login the “authentication” Div will become hidden and the “resources” Div will become visible.

You can see that the “authentication” Div is further comprised of other Divs. What we’re going to do is insert yet another Div into the “authentication” Div. So our code will be visible only when the authentication screen is shown, and hidden otherwise.

Create a new text file called “HelpLinks.js” in your C:\inetpub\wwwroot\Citrix\TenantACME\scripts folder.  We’re going to add our javascript code in its own file so that we can keep it isolated from the main code.  In this file copy-and-paste all of the following:

var SetLinks = function() {
    var content = '\
        <div style="position:fixed; top:500px; left:20px;"> \
            <a href="">HelpDesk</a><br /> \
            <a href="">Feedback</a> \
    var newDiv = $(content);

What this does is add some HTML (the part that is highlighted) right after the “#logonbelt-bottomshadow” Div in our page.  It needn’t be exactly there, but the important thing is that our new Div is added somewhere inside of the “authentication” Div.

But so far this code isn’t linked up to anything.  Let’s open C:\inetpub\wwwroot\Citrix\TenantACME\Default.htm in a text editor like Notepad and add a reference to our new Javascript file.  Find this line in the html page (near the top):

<script src="scripts/Default.htm.script.min.js" type="text/javascript"></script>

Now add another line right before it:

<script src="scripts/HelpLinks.js" type="text/javascript"></script>

This references our new javascript, but doesn’t invoke it.  To do that we modify the C:\inetpub\wwwroot\Citrix\TenantACME\scripts\Default.htm.script.min.js file in Notepad.  Search for the following:


Now modify this so that it looks like this:


Let’s take a look now.

Citrix Receiver for Web - New background with links

Nice!  Let’s see what has changed in the structure of our page.

Citrix Receiver for Web - DOM model with new Div

You’ll notice that our new Div was added right after the “logonbelt-bottomshadow” Div.

The rest is just a matter of polish.  Some things that you might want to do.

  1. Our helpdesk and feedback links look a little naked.  You can modify the HTML in HelpLinks.js to decorate those links with some images (as in the “After” image at the top of this article).
  2. After the user logs in and sees the apps you will notice that the white text on a light background can be a little hard to read.  To update the text color search for “#resources-header #header-userinfo{float:left;”, “#resources-header #header-logofflink{float:left;”, and “.myapps-name{padding-top:6px;” in the file and update each of them to a darker color.
  3. The background frame around each of the apps likewise might need a little tweaking due to the light background.  Update the image at C:\inetpub\wwwroot\Citrix\TenantACME\uiareas\Store\media\MainAppIcon_normal.png if you want to change it.

You may have noticed that generally you’ll have an easier time if you stick with a dark background.  Also, depending on your installation and version, some of the file names might be slightly different.  For instance the Citrix logo image might be called “logo_tagline.png” instead of “logo_notagline.png”

What if you don’t want the links on the authentication page, but rather *after* the user logs in?  That can be done using the same principles in this article:

  1. Look at the structure of the web site.
  2. Find where you want to place your new HTML (in a new sub-div within the “resources” Div in our case)
  3. Add some Javascript to insert your new HTML after an existing Div element of the page (inserting after the “resources-footer” Div would work)
  4. Call your Javascript from Default.htm.script.min.js

I’ll leave that as an exercise to the reader.  If you’re having trouble let me know in the comments section, and also maybe an enterprising individual will post their answer!

(Caveat Emptor: None of this is officially supported by Citrix, take it as-is.)
(Thanks go to Scott Novack who also helped with this article.)