Users intermittently fail to receive ICA files from StoreFront when trying to launch a new session in the following circumstances (all of the below conditions must apply):

• Multiple active StoreFront server groups are in use, connected by GSLB, configured either for direct access or authentication though Citrix Gateway
• Client Detection is enabled in the StoreFront Store Receiver for Web configuration via the “Deploy Citrix Receiver/Workspace app” settings (https://docs.citrix.com/en-us/storefront/current-release/manage-citrix-receiver-for-web-site/configure-receiver-for-web-sites.html#configure-site-behavior-for-users-without-citrix-workspace-app)
• Users are logging in with “modern” web browsers such as Chrome and Edge, which invoke the protocol handler or web helper code client-side as opposed to browser plugins to detect whether a Workspace app client is installed on the user endpoint

No error message is displayed to the user.   The issue is more often seen with external users connecting through Citrix Gateway, but may also be experienced by internal users connecting to StoreFront.

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

To force the user web session to be persistent to one StoreFront server group for the lifetime of the client detection process, from login through to ICA file delivery, rewrites can be configured on Citrix ADC to insert location-specific addresses.  These rewrite policies are bound to either the Gateway vServers, the StoreFront load balancing vServers, or both, depending on whether the issue is experienced externally, internally, or both, respectively.  The location-specific addresses used are not visible to the end user and do not impact the contents of the ICA file; therefore this code does not impact user session routing and can be used alongside features such as Optimal HDX Routing.
Note that the solution relies on placeholder names as documented below under "Naming Conventions" and the sample is based on an environment with two GSLB sites, but could be expanded to additional locations.  The placeholder names must be updated to reflect a customer’s as-built environment.  If the code sample is used exactly as written, it is unlikely to function as designed.  It is strongly recommended to test any changes in a pre-production environment before deploying to production.
Naming Conventions

• Gateway.acme.com – GSLB Citrix Gateway address
• SiteA.gateway.acme.com – Specific URL for Site A Citrix Gateway
• SiteB.gateway.acme.com - Specific URL for Site B Citrix Gateway
• Storefront.acme.net – GSLB StoreFront address, also base URL shared by server groups
• SiteA.storefront.acme.net – Specific URL for Site A StoreFront server group
• SiteB.storefront.acme.net - Specific URL for Site B StoreFront server group
• Store – Store name defined in StoreFront with “StoreWeb” as the corresponding website
• gw_vserver – name of Gateway vServer object on both SiteA and SiteB ADCs
• sf_vserver – name of StoreFront load balancing vServer object on both SiteA and SiteB ADCs

GSLB Citrix Gateway-based Access
Required DNS Records

• All required DNS records to support GSLB for gateway.acme.com 
• A record for SiteA.gateway.acme.com resolving to SiteA Gateway VIP in external DNS
• A record for SIteB.gateway.acme.com resolving to SiteB Gateway VIP in external DNS
• Local A record on SiteA Gateway resolving storefront.acme.net to local load balancing vServer for SiteA StoreFront server group (this URL will not be rewritten)
• Local A record on SiteB Gateway resolving storefront.acme.net to local load balancing vServer for SiteB StoreFront server group (this URL will not be rewritten)

Required rewrite policies on both SiteA and SiteB ADCs
>>add policy expression rw_action_target_post_domain "HTTP.RES.BODY(10000).XPATH_JSON_WITH_MARKUP(xp%/postbackUrl%).SET_TEXT_MODE(BACKSLASH_ENCODED).AFTER_STR(\":\").AFTER_STR(\"//\").BEFORE_STR(\"/\")"
>>add rewrite action rw_act_postbackUrl replace rw_action_target_post_domain rw_act_replace
>>add rewrite policy rw_pol_postbackUrl_externalaccess "HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.URL.PATH.EQ(\"/Citrix/StoreWeb/ClientAssistant/GetDetectionTicket\") && rw_action_target_post_domain.EQ(\"gateway.acme.com\")" rw_act_postbackUrl
>>bind vpn vserver gw_vserver -policy rw_pol_postbackUrl_externalaccess -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
>>add policy expression rw_action_target_file_domain "HTTP.RES.BODY(10000).XPATH_JSON_WITH_MARKUP(xp%/fileFetchUrl%).SET_TEXT_MODE(BACKSLASH_ENCODED).AFTER_STR(\":\").AFTER_STR(\"//\").BEFORE_STR(\"/\")"
>>add rewrite action rw_act_filefetchUrl replace rw_action_target_file_domain rw_act_replace
>>add rewrite policy rw_pol_filefetchUrl_externalaccess "HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.URL.PATH.STARTSWITH(\"/Citrix/StoreWeb/Resources/GetLaunchStatus\") && rw_action_target_file_domain.EQ(\"gateway.acme.com\")" rw_act_filefetchUrl 
>>bind vpn vserver gw_vserver -policy rw_pol_filefetchUrl_externalaccess -priority 110 -gotoPriorityExpression NEXT -type RESPONSE
>>add rewrite action rw_act_req_filefetchurl delete_http_header Accept-Encoding
>>add rewrite policy rw_pol_req_filefetchUrl_externalaccess "HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.URL.PATH.CONTAINS(\"/Citrix/StoreWeb/Resources/GetLaunchStatus/\")" rw_act_req_filefetchurl
>>bind vpn vserver gw_vserver -policy rw_pol_req_filefetchUrl_externalaccess -priority 120 -gotoPriorityExpression NEXT -type REQUEST

New rewrite action SiteA ADC only
>>add policy expression rw_act_replace "\"sitea.gateway.acme.com\""

New rewrite action SiteB ADC only
>>add policy expression rw_act_replace "\"siteb.gateway.acme.com\""

GSLB Access to StoreFront (assumes ADC is being used to GSLB)
Required DNS Records

• All required DNS records to support GSLB for storefront.acme.ent
• A record resolving SiteA.storefront.acme.net to local load balancing vServer for SiteA StoreFront server group in internal DNS
• A record resolving SiteB.storefront.acme.net to local load balancing vServer for SiteB StoreFront server group in internal DNS

Required rewrite policies on both SiteA and SiteB ADCs
>>add policy expression rw_action_target_post_domain "HTTP.RES.BODY(10000).XPATH_JSON_WITH_MARKUP(xp%/postbackUrl%).SET_TEXT_MODE(BACKSLASH_ENCODED).AFTER_STR(\":\").AFTER_STR(\"//\").BEFORE_STR(\"/\")"
>>add rewrite action rw_act_postbackUrl replace rw_action_target_post_domain rw_act_replace
>>add rewrite policy rw_pol_postbackUrl_internalaccess "HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.URL.PATH.EQ(\"/Citrix/StoreWeb/ClientAssistant/GetDetectionTicket\") && rw_action_target_post_domain.EQ(\"storefront.acme.net\")" rw_act_postbackUrl 
>>bind lb vserver sf_vserver -policyName rw_pol_postbackUrl_internalaccess -priority 100 -gotoPriorityExpression next -type RESPONSE
>>add policy expression rw_action_target_file_domain "HTTP.RES.BODY(10000).XPATH_JSON_WITH_MARKUP(xp%/fileFetchUrl%).SET_TEXT_MODE(BACKSLASH_ENCODED).AFTER_STR(\":\").AFTER_STR(\"//\").BEFORE_STR(\"/\")"
>>add rewrite action rw_act_filefetchUrl replace rw_action_target_file_domain rw_act_replace
>>add rewrite policy rw_pol_filefetchUrl_internalaccess "HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.URL.PATH.STARTSWITH(\"/Citrix/StoreWeb/Resources/GetLaunchStatus\") && rw_action_target_file_domain.EQ(\"storefront.acme.net\")" rw_act_filefetchUrl
>>bind lb vserver sf_vserver -policyName rw_pol_filefetchUrl_internalaccess -priority 110 -gotoPriorityExpression next -type RESPONSE
>>add rewrite action rw_act_req_filefetchurl delete_http_header Accept-Encoding
>>add rewrite policy rw_pol_req_filefetchUrl_internalaccess "HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.URL.PATH.CONTAINS(\"/Citrix/StoreWeb/Resources/GetLaunchStatus/\")" rw_act_req_filefetchurl
>>bind lb vserver sf_vserver -policyName rw_pol_req_filefetchUrl_internalaccess -priority 120 -gotoPriorityExpression NEXT -type REQUEST

New rewrite action SiteA ADC only
>>add policy expression rw_act_replace "\"sitea.storefront.acme.net\""

New rewrite action SiteB ADC only
>>add policy expression rw_act_replace "\"siteb.storefront.acme.net\""
 

---

Problem Cause

User web sessions must remain sticky to the same StoreFront server group up to ICA session launch.  Site persistence in GSLB architectures is typically achieved via HTTP cookies.  Communication from the user browser to the Citrix Web Helper is achieved via Javascript which cannot read HTTP cookies.  Therefore, the browser-based way to achieve persistence cannot be used.  The result is that information communicated between the Web Helper and StoreFront, such as presence of Workspace app on the endpoint and retrieval of ICA file for launch, can be misrouted between StoreFront server groups resulting in failed session launch as the request to retrieve the ICA file may be sent to a StoreFront server that has no knowledge of the original launch request, and therefore no file prepared to retrieve.

The Web Helper is a small program installed on the client device as part of Receiver/Workspace app. Its purpose is to indicate to the web site that Receiver/Workspace app is installed and to communicate properties that control certain website functionality.  There are two main phases of the user web session during which it is invoked:

1. When the user is prompted to detect (and optionally install) Receiver / Workspace app
   1. The browser requests a Client Detection Ticket (CDT) from StoreFront
   2. This is passed through the browser to the Web Helper along with a postbackURL where the information should be sent.  The postback URL is either the Gateway GSLB address (external) or StoreFront base URL (internal).  The postbackURL is what is being rewritten in the above solution.
   3. Web Helper collects information about Receiver/Workspace app (if installed) on the endpoint and submits it along with the CDT to the postbackURL
   4. Once received, StoreFront stores the CDT
   5. The browser retrieves the client information from StoreFront
2. When the user selects an app or desktop to launch
   1. The browser sends the launch request to StoreFront and requests a FileFetchTicket (FFT), which is later exchanged for the ICA file
   2. StoreFront creates the FFT and ICA file, which is stored on the server and keyed by the FFT and supplies the FFT back to the browser
   3. The browser supplies the FFT to Web Helper along with a postbackURL where the request for the ICA file should be sent.  The postback URL is either the Gateway GSLB address (external) or StoreFront base URL (internal).  The postbackURL is what is being rewritten in the above solution.
   4. The Web Helper sends a request to the postbackURL to request the ICA file, supplying the FFT.
   5. StoreFront uses the FFT to retrieve the ICA file and supply it back to the Web Helper, which invokes the HDX engine on the endpoint to launch the session

The general process is similar for external (through Gateway) and internal (direct to StoreFront) with the exception that with external communication to StoreFront being proxied through Gateway, STA tickets are invoked to communicate information securely.
For more information on ADC rewrites: https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/rewrite.html
For more information on the client detection process: https://support.citrix.com/article/CTX202986/chrome-external-protocol-handler-not-working-apps-not-launching-automatically-instead-it-downloads-ica-files