This article describes how to use the Optimal Gateway setting available in StoreFront to force applications to launch through NetScaler Gateway. It applies when accessing StoreFront through Citrix Receiver to connect to NetScaler Gateway virtual server and launching resources from XenApp/XenDesktop using a single logon attempt (single sign-on).

Requirements

• 2 NetScaler Gateway VPXs

• 2 XenDesktop 7.1 DDCs

• 2 separate StoreFront servers 

Background

From a domain joined device on the LAN/MPLS network, a user must log on only once with the domain credentials at the windows logon prompt and be able to launch their Citrix apps using native Receiver, through a NetScaler protected SSL connection. Before attempting to get this functionality to work, ensure that users can launch sessions with StoreFront directly, and then with NetScaler in ICA Proxy mode.

Instructions

You must have already configured NetScaler and StoreFront using CTX139963 - How to Configure NetScaler Gateway with StoreFront. Configure Receiver with Pass-through Authentication using CTX133855 - How to Configure Desktop Pass-Through with StoreFront and Receiver.

This architecture allows to route the user authentication to the StoreFront server but will have the launch of ICA session pass through the NetScaler so that the connection is secured, because the connection between Receiver and StoreFront is done through HTTPS. The credential handling is secure between the Windows machine and the StoreFront servers. With the customization done to StoreFront, the ICA Ticket then routes the user connection through the NetScaler.

Refer to Citrix Documentation - Configure optimal NetScaler Gateway routing for a store. Modify the web.config file located at C:\inetpub\wwwroot\Citrix\Store\web.config to direct StoreFront to route user connections through the NetScaler Gateway. 

Modify enabledOnDirectAccess="true" in the "optimalGatewayForFarmsCollection" key.

<optimalGatewayForFarmsCollection>
  <optimalGatewayForFarms enabledOnDirectAccess="true">
    <farms>
      <farm name="farmname" />
    </farms>
    <optimalGateway key="_" name="deploymentname" stasUseLoadBalancing="{true | false}"
     stasBypassDuration="hh:mm:ss" enableSessionReliability="{true | false}"
     useTwoTickets="{true | false}">
      <hostnames>
        <add hostname="appliancefqdn:port" />
      </hostnames>
      <staUrls>
        <add staUrl="https://stapath/scripts/ctxsta.dll" />
      </staUrls>
    </optimalGateway>
  </optimalGatewayForFarms>
  <optimalGatewayForFarms>
    ...
  </optimalGatewayForFarms>
</optimalGatewayForFarmsCollection>

Citrix Documentation - Configure optimal NetScaler Gateway routing for a store

CTX139963 - How to Configure NetScaler Gateway with StoreFront

CTX133855 - How to Configure Desktop Pass-Through with StoreFront and Receiver