![]() ![]() Other Receivers are fine, but the Windows Receiver fails. Because the backend StoreFront Base URL is HTTP, the Windows Receiver sees this in it’s config after authenticating against the NetScaler Gateawy and pulling down the config. We’re adding an HTTPS URL from the NetScaler Gateway and not direct StoreFront. This can be accomplished by following this CTX article from Citrix called “How to Configure Citrix Receiver for Windows to Manually Add HTTP Stores”: In some cases, you may want to force an HTTP StoreFront URL against best practices. You can see here StoreFront is warning me about this because again, in Production environments you should always use SSL whenever possible: I have configured my StoreFront Base URL to be an HTTP site only. On my StoreFront 3.8 servers, I have not installed an SSL cert in IIS. You can see here I am using HTTP (port 80): Here is the loadbalanced vserver with my 2 StoreFront servers in a Service Group behind it. This URL it is hitting a load balanced vServer on the NetScaler with both my StoreFront servers behind it: Here is the session policy for native Receivers:Īnd here is the session profile it invokes. To explain my setup, here is my NetScaler Gateway that all my Receivers are connecting to: My NetScaler Gateway 11.1 and StoreFront 3.8 Setup ![]() And that’s when I noticed this was failing for Windows Receivers. In my case I had done this setup in my lab in the interest of time for a quick XenApp 7.12 demo where I just changed my NetScaler Gateway session policy to go from my normal Production environment to this new demo environment. Not worth it in my opinion but I’ve seen it. This saves just a little bit of cash on buying another cert as well as shaves off a few min off a StoreFront deployment (binding an SSL cert in IIS). In some environments I’ve seen, people like to use the NetScaler Gateway for HTTPS traffic to the clients, but leave the backend to StoreFront on HTTP over port 80. That’s fine but but we’re adding an HTTPS based NetScaler Gateway URL. An attacker gaining a foothold in your datacenter is all too common these days, make it as hard as possible for them to sniff out traffic.Ĭitrix doesn’t want you to add an HTTP based StoreFront URL here. In a nutshell, encrypt everything in your datacenter. Anytime I deploy something I always take on a FIPS 140-2 mindset because even though you may not have to worry about FIPS Compliance right now, you may need to do something similar later even through another regulatory body so it’s best to just start out on the right foot securing your infrastructure anytime you build something no matter what industry you are in. ![]() I always take this approach in Production environments. This is because the best practice is to always use SSL, whether on the front end for clients or backend communication to your servers. Please contact your system administrator. HTTP Store requires additional configuration before being added to the Citrix Receiver. If you add “HTTP” to the URL, it will give you a warning like this: If you add “HTTPS” to it, it will look fine as well: If you add your URL like this, it is by default going to go over HTTPS over an encrypted SSL/TLS connection: The Windows Receiver requires an “HTTPS” URL by default. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |