How to Configure Internal Beacon for Single FQDN on StoreFront

How to Configure Internal Beacon for Single FQDN on StoreFront

book

Article ID: CTX218708

calendar_today

Updated On:

Description

This article describes how to Configure Internal Beacon for Single FQDN on StoreFront.

Background

When you access any URL in Citrix Receiver, it tries to resolve both internal and external beacons. First it will resolve the internal beacon, followed by the external beacon, and then Citrix Receiver will follow the path depending upon which beacon was resolved.

The internal network should only be able to resolve internal beacon however the external network should not be able to resolve the internal beacon. This is the reason why the internal beacon should be changed in Single FQDN scenarios.

The following table illustrates both the scenarios:

Separate FQDN for internal and external store access

FQDNInternal NetworkExternal Network
NetScaler Gateway URL -https://nsg.domain.comThe StoreFront URL would be accessed from Receiver.The NetScaler Gateway URL would be accessed from Receiver.
StoreFront Base URL -https://sf.domain.comInternal Beacon should be resolvable.Internal Beacon should not be resolvable.
Internal Beacon- https://sf.domain.comExternal Beacon may or may not be resolvable.External Beacon should be resolvable.
External Beacon- https://nsg.domain.comThe authentication will occur directly on StoreFront and NetScaler Gateway is not used.The authentication occurs on NetScaler Gateway and SSO occurs on StoreFront at the backend.
In case the Internal Beacon is resolvable then the Citrix Receiver will try to reach the server where Internal Beacon is resolving to, however it would not be reachable from the external network.
This is the reason why it is always recommended not to resolve Internal Beacon/ StoreFront base URL externally. This causes the app enumeration to fail.

Single FQDN for both internal and external store access

FQDNInternal NetworkExternal Network
NetScaler Gateway URL- https://apps.domain.comThe URL should resolve to StoreFront Server.The URL should resolve to NetScaler Gateway Virtual Server.
StoreFront Base URL  -  https://apps.domain.comInternal Beacon should be resolvable.Internal Beacon should not be resolvable.
Internal Beacon- https://appsib.domain.comExternal Beacon may or may not be resolvable.External Beacon should be resolvable.
External Beacon- https://apps.domain.comThe authentication will occur directly on StoreFront and NetScaler Gateway is not used.The authentication occurs on NetScaler Gateway and SSO occurs on StoreFront at the backend.
In case the Internal Beacon is resolvable then the Citrix Receiver will try to reach the server where Internal Beacon is resolving to, however it would not be reachable from the external network. This causes the app enumeration to fail.

Instructions

Internal Beacon Configuration for Single FQDN Architecture

  1. Configure either a wildcard certificate or SAN certificate on NetScaler Gateway and StoreFront Server.
  2. SAN certificate should have the URL that is used for Internal Beacon.
  3. Create a CNAME record on the DNS for Internal Beacon address and point it to StoreFront Server IP or Load Balancing IP of StoreFront.

    User-added image

 

Issue/Introduction

This article describes how to Configure Internal Beacon for Single FQDN on StoreFront

Additional Information

Citrix Documentation - Create a single FQDN to access a store internally and externally