I’ve been try to integrate CloudGateway Express (CGE) with Access Gateway for a while now. Last week I finally achieved my goal – no thanks to Citrix technical support (I have a one and a half week old ticket open), Citrix Knowledgebase/eDocs, or Google-at-large.
So, as you will now be aware, Citrix is ending its support for Web Interface as we currently know it. There’s still a few years before end-of-life, but we’re currently in the turmoil of switching how our users launch their applications, so I figured I should go ahead and move in the direction of the technology. And, we have a Chromebook in the Enterprise (which requires Storefront Services and will not work with Web Interface at all).
The recommended way to deploy StoreFront is with Access Gateway if you’re going to use it outside of your firewall – which we are, so I am. There are plenty of guides for setting up StoreFront, so I won’t go into much depth with it, except as it applies to AG. And, setting up a NetScaler would require a different article, so I’ll assume you also have one of those that’s licensed for AG.
Once you have SF and AG ready to go, it’s time to make them work together. I was told a couple of conflicting things by Citrix Support when I started this, so I’ll talk about what worked for me specifically. First, make sure you have SF 1.2 and NetScaler 10. Once support technician said a later version of 9.3 would work, another said we needed 10. I said that if I’m upgrading, I might as well go all-out and went to 10, so what follows applies to it. Also, I’ll assume our SF site is named sf.domain.com and our AG site is named agee.domain.com. It’s best to name them differently as well see later on.
First, let’s open the StoreFront console and find your way to the Gateways tab and click “Add Gateway Server” on the right. Enter a display name, the gateway URL, and your NetScaler’s SNIP (this can be found in the Network>IP section of the NS GUI – look for the SNIP on the same subnet as the CGE machine).

On the next screen, enter your AG’s URL again just as you entered it above.
Next, enter your secure ticket authorities (STAs). Remember exactly what you entered here. You’ll need them later.
Click “Create” and you’re finished with this wizard.
Now, go over to Beacons on the left and let’s verify them. I didn’t have to change anything here, but I want to explain what’s going on.

StoreFront uses the beacons to determine where a connecting endpoint is. If it can contact sf.domain.com, then it assume the endpoint in inside the network. If it can contact agee.domain.com and not sf.domain.com, it assumes it is outside of the network. If you’re inside, Receiver 3.1 will use the inside’s address and bypass the AG, so don’t publish sf.domain.com on external DNS or through the firewall. The citrix.com URL is a secondary external beacon. I’m not quite sure of its point. Presumably you’ll have internet access whether you’re internal or external.
Now, let’s go up to Stores on the left of the console. Highlight your store in the middle, and click “Enable Remote Access” on the right. Click “No VPN Tunnel”, check the gateway we created earlier, and click OK.

We’re done with StoreFront’s configuration. Be careful , though, because I had some trouble authenticating at this point because the AG isn’t setup on the NetScaler yet, and StoreFront is looking to NetScaler for authentication.
Now, let’s open our NetScaler GUI. I’m told that NS10 Build 70.7 is best viewed in Chrome because they are switching from Java to HTML, but I digress. Find the Access Gateway section on the left and open it. We’re about to create three session policies and three session profiles.
First, add a new session policy. Call it something like “Receiver Web Policy”. This is the policy and profile we’ll use to identify when we should return StoreFront Web instead of a services site.
First, let’s add the following expression to the policy:
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
You can do this with the Advanced Free-Form editor, or add it manually via the “Add…” button. Now, click “New…” to create a new request profile. This will tell the NetScaler what to do when the expression above is matched. Call the profile something like “Receiver Web Profile”.
On the Client Experience tab, check and allow “Clientless Access”, and check “Single Sign-on to Web Applications”. On the Security tab, check “Default Authorization Action” and set it to allow. On the Published Applications tab, check “ICA Proxy” and set it to on, check and set your “Web Interface Address” (in our example, https://sf.domain.com/Citrix/SFWeb). You can set the “Single Sign-on Domain” if you’d like. This will keep users from having to type their domain every time they login (use your best judgment if this isn’t appropriate for your environment).
Here are the screenshots for these three tabs. Ignore the Network Configuration tab.
Click OK, and now your session policy should look something like this:

This says that if the HEADER returned by the connecting endpoint does not contain “CitrixReceiver”, return the web interface because it’s probably just a web browser.
Now, let’s create another policy for StoreFront Services. This policy will match and handle things like Receiver 3.1 that can take full advantage of the new CloudGateway stuff.
Same procedure as before – create a new policy, call it something like “StoreFront Services Policy”, and use this expression:
REQ.HTTP.HEADER X-Citrix-Gateway EXISTS
And create a new profile called “StoreFront Services Profile”. The Client Experience and Security tabs are the same as above. The Published Application tab is also the same, except there is no Web Interface Address (I’m not sure why).
And one last one, “PNA Services Policy” with this expression:
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS
In its profile, “PNA Services Profile”, the Client Experience tab should have “Single Sign-on to Web Applications” checked, the Security tab is the same, check and allow the “Default Authorization Action”, and the Published Applications tab will have “ICA Proxy” checked and on, and the “Web Interface Address” will be the legacy services URL that you can find in the StoreFront console. In our example, it’s https://sf.domain.com/Citrix/SF/PNAgent/config.xml.
Whew. We’re all done with policies and profiles. Let’s go back to the Access GatewayVirtual Servers section in the NetScaler.
From here, create your Access Gateway as you normally would (I’m not going to cover it here). On the Policies tab, add the three policies above in the following order: Receiver, PNA, Storefront. I saw another blog article that said put PNA first, but that didn’t work for me.
Lastly (assuming you have the rest of the AG setup properly), click the Clientless button under the Policy tab. You’ll need to insert a policy here. Click on New Policy, give it a name, then click “New…” to add a new profile. Give it a name here, then click Create. There are no settings that need to be made. Type the word “true” into the Expression box and click OK.
You’re all set.