NetScaler Unified Gateway / SSO with Citrix StoreFront 3.9 and Client Access Mode

Been working on deploying the NetScaler Unified Gateway for the last few weeks. Our goal is to simply create a unified page to access internal resources such as Outlook Web Access, Intranet, ShareFile, as well as XenApp/XenDesktop resources running on the new version of Citrix StoreFront 3.9.  As a side note, I will be posting my customization code on StoreFront 3.9 in the coming weeks.

First let me discuss (again) about an issue I noticed with version of NetScaler NS11.0 running when working with Content Switches and ZeroIP NetScaler Gateways.

I ran into a bug that crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP).  Meaning, that I was binding a profile policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is.

This bug is has been fixed from 11.0 Build 64.x and later, and 11.1.  In my case I upgraded to the now latest version of 11.0 70.12nc.

Lets get started:

On your StoreFront server, make sure that the Enable Remote Access setting for the store is set to No VPN or Full VPN tunnel


In the web.config file, located in drive:/inetpub/wwwroot/citrix/storeweb, make sure to set X-Frame-Options to allow and Content-Security-Policy to frame-ancestors ‘self‘. You will see 3 entries for this.  Make sure you change them all.  This will allow the page to come up with all browsers including IE.  Once the changes are made, simply reset IIS or reboot your SF server(s)


On the NetScaler Session Profile the following settings are required:


  • On the Client Experience tab:
    Clientless Access = ON
    Single Sign-on to Web Applications = Checked
    Credentials Index = Primary

    On the Security tab:
    Default Authorization Action = Allow

    On the Published Applications tab:
    ICA Proxy = OFF
    Web Interface Address = https://serverFQDN/Citrix/StoreWeb (StoreWeb is the actual store name).
    Single Sign-on Domain = Configured


Make sure you use the FQDN link to your storefront server.  You can run into an issue within Clientless Access mode not displaying the Storefront Server page if you configure to an IP.


Once changed to FQDN the page displayed successfully (Ex:


This is a sample of the session profile I manually created and binded to the session policy the UG Wizard created.

add vpn sessionAction UG_VPN_SAct_dmz -defaultAuthorizationAction ALLOW -SSO ON -windowsAutoLogon ON -wihome “” -wiPortalMode COMPACT -ClientChoices ON -ntDomain name_of_domain -clientlessVpnMode ON -emailHome “”

Optionally, you can bypass the Client Choices option on NetScaler Unified Gateway with a Responder policy.  This way users wont have to click on the Client Access option, but instead be redirected to it after user log on.


To do this:

Create a Responder action based on the URL your users will be connecting to

add responder action ug_redirect_ac redirect “\”\”” -responseStatusCode 302

Create a Responder policy, notice it is looking for that choices.html page


add responder policy ug_redirect_pol “HTTP.REQ.HOSTNAME.EQ(\”\”) && HTTP.REQ.URL.CONTAINS(\”vpns/choices.html\”)” ug_redirect_ac

Bind the Responder policy to the NetScaler Gateway the UG config creates.  In my case it is called UG_VPN_ug_gtw_dmz


bind vpn vserver UG_VPN_ug_gtw_dmz -policy ug_redirect_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Once the policy is binded, users will simply be redirected to the “Clientless Access” portion of the site without being prompted to select VPN, Clientless Access, or good old StoreFront/Web Interface

That is it! Hope this helps!  Cheers :)


I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.


Customizing Citrix StoreFront 2.6 including Pre-Login message page

Here are my StoreFront customizations for Citrix StoreFront 2.6.  Many are similar to previous version of SF, however some of the syntax changed.

There are some good improvements/features SF 2.6 brings, one that I like and works best where I currently work is the Web Folder View, which in the past had to be done by running StoreFront in lock down mode.  This new view can certainly help your users feel more comfortable when moving from Web Interface.

Fist take a look at the new features of StoreFront which are listed under this link from Citrix.

Secondly I would like to thank Sam Jacobs which provided some of his code he presented at Citrix Synergy 2014.  You can view the presentation here 


  • Windows 2008 R2
  • Citrix XenApp 6.5 Hotfix Rollup Pack 2
  • PVS 6.1.16
  • StoreFront 2.6
  • Citrix NetScaler 10.1 build 122.17

Customizations: (All custom files will need to be created under the contrib folder is located under the SF site in the file system (typical location is C:inetpubwwwrootsitesCitrixStoreWebNamecontrib

The following customizations include the following

  • Pre-Login message page
  • Front Page with custom logo and title header
  • App/Desktop page with custom logo, user client IP (For NetScaler load balancing make sure to use X-Forwarded-For to load balance your StoreFront servers, utilizing CLIENT-IP for your VIP will return the SNIP of your NetScaler as the source IP for the user client IP module :P)
  • Apps/Desktop Tab on top with Disable user multiclick
  • Page footer




Back up the original files under C:inetpubwwwrootsitesCitrixStoreWebNamecontrib


1. Overwrite the following files

  • custom.wrstrings.en.js
  • custom.script.js

2. Create new files

  • GetServerData.aspx
  • companylogo_whiteTrans.png
  • companylogo_whitetrans_small.png



(function ($) {
$.localization.customStringBundle(‘en’, {
Disclaimer: ‘Authorized Use Only’,
DisclaimerStatement: ‘You must be assigned an account to access this system.’
+ ‘ The information on this system and network is the property of this organization and is protected by intellectual property rights.’
+ ‘ By clicking the button below, you are consenting to the monitoring of your activities on the system’,
Continue: ‘Continue’

custom.script.js (You can certainly change the way I am working with $(document).ready(function() { and clean it up a bit

// StoreFront customizations

// Replace title
document.title = ‘Remote Access’;

// Place Apps/Desktop Tab on top
$(document).ready(function() {
$(“#resources-switcher” ).detach().appendTo(“#resources-header” );

// Disable User Multi Click 😛
$(document).ready(function() {
CTXS.Resources.multiClickTimeout = 10;

// Display client IP and StoreFront server
url: ‘contrib/GetServerData.aspx?serverData=clientIPandServerName’,
success: function(data) {
var $markup = $(‘<div id=”server-info”>’ + data + ‘</div>’);

// Logon page footer text

// $(document).ready(function() {
// var $footercontent = $(‘<div id=”authentication-footer”><div id=”authentication-copyrightfooter”> <p id=”authentication-copyrightFooterText”></p></div></div>’);
// $footercontent.insertAfter(‘#logonbelt-bottomshadow’);
// });

// $(document).ready(function() {
// $(‘#authentication-copyrightfooter’)[0].innerHTML =
// ‘<p>&copy;2014&nbsp; Access restricted to authorized users.</p>’;
// });

// application page footer text

$(document).ready(function() {
$(‘#copyrightfooter’)[0].innerHTML = ‘<p>&copy;2014&nbsp; Name of your company</p>’;

// Prelogin page

$(document).ready(function() {
CTXS.Application.preLoginHook = function () {
var _dialogTitle = ‘<h1’
+ ‘ class=”messagebox-title _ctxstxt_Disclaimer”></h1>’;
var _dialogBody = ‘<div class=”messagebox-body”>’ +
‘<p class=”_ctxstxt_DisclaimerStatement”></p></div>’;
var _dialogButton = ‘<div class=”messagebox-buttons”>’ +
‘<a href=”#” class=”button _ctxstxt_Continue”></a></div>’;
var dialog = _dialogTitle + _dialogBody + _dialogButton;
var $messagePane = CTXS.displayMessagePane(dialog).ctxsLocalize();
var $button = $messagePane.find(‘.button’);
$ () {
return false;

StoreFront customizations

#credentialupdate-logonimage, #logonbox-logoimage {
background-image: url(“companylogo_whiteTrans.png”);
height: 50px;
width: 283px;

#header-logo {
background-image: url(“companylogo_whitetrans_small.png”);
height: 31px;
margin: 8px 0 0 22px;
width: 179px;

#resources-header {
height: 84px;

#resources-switcher {
padding-top: 48px;
text-align: center;

/* Help Desk info */

/* Logon labels */
#logonbox-logonform label{

/* welcome message and username */
#resources-header #header-userinfo {

#header-userinfo A {

/* for added server info */
#server-info {
color: white;
float: left;
margin-right: 40px;
margin-top: 12px;
position: relative;
vertical-align: middle;

/* EOF Help Desk info */

/* Logon page footer text
#copyrightfooter p,
#copyrightfooter a,
#authentication-copyrightfooter p,
#authentication-copyrightfooter a

/* turn off searchbox
#resources-searcharea {
display: none;


<%@ Page Language=”C#” %>

<script runat=”server” language=”C#”>

private string GetClientIP()
string ips = Request.ServerVariables[“HTTP_X_FORWARDED_FOR”];

if (!string.IsNullOrEmpty(ips))
return ips.Split(‘,’)[0];

return Request.ServerVariables[“REMOTE_ADDR”];

private string GetServerName()
// for security purposes, only return the last 2 chars
string server = Environment.MachineName;
return server.Substring(server.Length-2);

// what server data are we looking for?
string sData = Request[“serverData”]+””;

switch (sData)
case “clientIP”:

case “serverName”:

case “clientIPandServerName”:
Response.Write(“Client IP: ” + GetClientIP() +
“&nbsp;&nbsp;&nbsp;&nbsp; Server: ” + GetServerName());



Hope this helps you 🙂

StoreFront 2.0 – Customization and Default ISS site

Let me start by saying you should not consider doing an in-place upgrade of StoreFront 1.2 to 2.0.  I suggest you start with a new deployment.

Although I was able to get the upgrade working as a personal challenge, I don’t think it is a clean way to go about it.  You can read more about some known issues on this Citrix StoreFront 2.0 upgrade and install issues article

Now after you have your StoreFront 2.0 “Web Interface” servers installed… lets make some changes.  Note that the changes below will be replicated to other StoreFront servers in your Server Group, so you don’t have to make changes on multiple hosts 🙂



  • Windows 2008 R2
  • Citrix XenApp 6.5 Hotfix Rollup Pack 2
  • PVS 6.1.16
  • StoreFront 2.0

Remove “Activate”

If you are not using provisioning file to configure your Receiver, open the web.config in the C:\inetpub\wwwroot\[Store]Web\ directory

Locate the following:

<receiverConfiguration enabled=”false” downloadURL=”ServiceRecord/GetDocument/” />

Change the value from “true” to “false”


Disable Desktop auto-launch

By default, a single XenDesktop or Full Desktop XenApp will auto-launch for the user

<userInterface frameOptions=”deny” autoLaunchDesktop=”false“>

Change the value from “true” to “false”

Show Apps as default instead of XenDesktops/Full Desktop XenApp

<uiViews showDesktopsView=”true” showAppsView=”true” defaultView=”apps” />

Change the value from “desktops” to “apps”


Change Logos

Receiver for Web provides a built-in support for customization through the contrib folder. This folder is located under the Receiver for Web site in the file system (default location is C:\inetpub\wwwroot\sites\Citrix\StoreWeb\contrib) and contains the built-in customization hooks.  It is recommended that all customization code and media are stored under this folder because the content of this folder will be preserved upon upgrade to the subsequent releases.

Using the contrib folder you can upload your logos and create syntax such as below.  You will need to change height, width and margin based on your logos

#credentialupdate-logonimage, #logonbox-logoimage {

background-image: url(“company_whiteTrans.png”);

height: 64px;

width: 353px;


#header-logo {

background-image: url(“company_whitetrans_small.png”);

height: 31px;

margin: 8px 0 0 22px;

width: 179px;


Set StoreFront as the Default Page within IIS

Now… Lets set that StoreFront site as you default site, as we recall with the legacy Web Interface component, each Web site had the option to be the default page for the IIS site. This option is not available in Storefront. 😦

To make a Storefront Web site the default page within the IIS site, complete the following procedure:

  • Open Notepad and paste the following text:

    <script type=”text/javascript”>
    // –>
    : Replace /Citrix/StoreWeb to the correct path to your Store’s Web site, if required.

  • Select File > Save As and browse to the IIS folder, by default the C:\inetput\wwwroot is the IIS folder.
  • Select the Save as type to All types.
  •  Type a file name with an html extension, and select Save.

  • Open IIS Manager.
  • Select the SERVERNAME node (top-level) and double-click Default Document, as shown in the following screen shot:

  • Select Add…, and enter the file name of the .html file provided in Step 4.

  • Ensure the .html file is located at the top of the list, as shown in the following screen shot:

  • Open the command prompt and run the following command:

You can read more info on this under this CTX article

StoreFront 1.2 default tabs and desktop autolaunch

1. Control the default Tab behavior in Citrix StoreFront 1.2
2. AutoLaunch a XenDesktop or XenApp Published Desktop
12-14-2012 5-05-01 PM
Solution 1 – Control the Tabs:
Open the web.config file located by default under c:\inetpub\wwwroot\NameOfYourStore\
Locate the following:
<uiViews showDesktopsView=”true” showAppsView=”true” defaultView=”desktops” />
If you wish to change the default to Apps, simply change the syntax to the following:
<uiViews showDesktopsView=”true” showAppsView=”true” defaultView=”apps” />
Solution 2 – Automatically launch a the Desktop once the user logs in (Only works if you have a single Desktop published)
Find the following syntax and make sure the autoLaunchDesktop setting is set to true

<userInterface frameOptions=”deny” autoLaunchDesktop=”true“>

Also, don’t forget to read my previous post on how to speed up StoreFront 1.2 as it is very slow without making modifications

Disable StoreFront 1.2 Desktop auto launch feature

In the good old days of traditional Web Interface, everything you did in the GUI was reflected back in the WebInterface.conf file usually located under C:\inetpub\wwwroot\Citrix\NameOfYourSite\conf\.  After a while, there was no reason to open the GUI and making modifications to your WI became a very speedy process.  Specially when you had several WI sites.

A lot has changed with StoreFront, however you can still control many aspects of the interface by editing files inside the web installation directory since the GUI is now missing.

What I am really wondering now, is how this will play a role with the Citrix NetScaler Web Interface feature, where it allows you to import the 5.4 WebInterface.conf file directly into the NetScaler and run WI on it.  Time will tell I guess…

With StoreFront, when both desktops and applications are available from a site, Receiver for Web displays separate desktop and application views by default. Users see the desktop view first when they log on to the site. Regardless of whether applications are also available from a site, if only a single desktop is available for a user, Receiver for Web attempts to automatically start that desktop when the user logs on.

To change these default settings, edit the site configuration file.
  1. On the StoreFront server, use a text editor to open the web.config file for the Receiver for Web site, which is typically located in the C:\inetpub\wwwroot\Citrix\storenameWeb\ directory, where storename is the name specified for the store when it was created.
  2. Locate the following element in the file.
    <uiViews showDesktopsView="true" showAppsView="true" defaultView="desktops" />
  3. Change the value of the showDesktopsView and showAppsView attributes to false to prevent desktops and applications, respectively, being displayed to users, even if they are available from the site. When both the desktop and application views are enabled, set the value of the defaultView attribute to apps to display the application view first when users log on to the site.
  4. Locate the following element in the file.
    <userInterface ... autoLaunchDesktop="true">
  5. Change the value of the autoLaunchDesktop attribute to false to prevent Receiver for Web from automatically starting and accessing a desktop when a user logs on to the site and only a single desktop is available for that user.

For additional customizations of StoreFront configuration file, see this Citrix article