Image Image Image Image Image Image Image Image Image Image
Scroll to top

Top

9 Comments

Lab: Part 23 – Securing Citrix StoreFront DMZ deployment

Lab: Part 23 – Securing Citrix StoreFront DMZ deployment

| On 15, Jun 2016




A complete guide to deploy Citrix StoreFront 3.6 in DMZ with NetScaler Gateway.

Make sure to catch up this series' previous posts first!

 

It’s been a while since CitrixGuru posted a lab article, but we are excited to go in depth with StoreFront once again, this time exploring DMZ implementation.

Most large organizations protect their internal network using a DMZ. The purpose of having a DMZ is to secure access (usually from the Internet) to the internal network. Any potentially vulnerable service that is being provided to users on the external network can be placed in the DMZ and will have limited connectivity with the internal network. Citrix services, such as our beloved Web Interface and his little brother StoreFront, are often used alongside NetScaler Gateway to provide remote access for corporate users.

Citrix recently released StoreFront 3.6, bringing back non-domain deployment which removes the need to have a specific Active Directory Domain in the DMZ. Previously, StoreFront DMZ implementation was a pain-in-the-you-know-what because SFT servers had to be members of an AD domain, but now StoreFront servers can be standalone in a WORKGROUP configuration. They will not sync their configurations, but will act the same way as Web Interface 5.x servers, delegating the authentication to the controllers located in the LAN. In that case, it is important to secure XML/STA communication between the two zones with HTTPS.

I’ve seen many articles online dealing with DMZ implementation and most of them leave the Web servers in the LAN, which does not fit the needs of large organizations.

In this article, we will review the most common DMZ architecture with two firewalls (between Internet/DMZ and between DMZ/LAN). Citrix StoreFront servers and NetScaler VPX appliances will be located in the DMZ, XenDesktop controllers and application servers in the LAN. Let’s get to it.

Lab Architecture

Below is the diagram of our lab:

lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment SecuringStoreFrontDMZSchema

Securing StoreFront DMZ Schema

Lab configuration

NetScalers

  • 2 NetScalers configured in HA located in DMZ
  • NS01 – NSIP: 192.168.1.199
  • NS02 – NSIP: 192.168.1.200
  • HA IP: 192.168.1.201
  • Zone: DMZ
  • Version 11.0 62.10nc
  • MobaXterm and Putty installed on the Client

StoreFront

  • 2 servers running 2012 R2
  • DMZSF01 – 192.168.1.61/24
  • DMZSF02 – 192.158.1.62/24
  • GTW 192.168.1.99
  • 1024 MB of RAM
  • 2 vCPU
  • 50GB disk
  • StoreFront 3.6.0.33
  • Zone: DMZ
  • WORKGROUP
  • URL: sf-ext.citrixguru.lab
  • LB IP: 192.168.1.23
  • NetScaler Gateway IP: 192.168.1.22
  • Port : 443 (HTTPS)

Controllers

  • 2 servers running 2012 R2
  • CDC01 – 10.0.0.71
  • CDC02 – 10.0.0.72
  • XenDeskop 7.9
  • XML Port : 8090
  • XML Secure Port: 443
  • STA 8090
  • STA Secure Port: 443
  • SSL/TLS Port: 443
  • Zone: LAN
  • Domain: citrixguru.lab
  • LB IP : 192.168.1.24

Requirements

For this post, you need to have the following items ready:

Ports

You need to open the following ports in your back-end firewall:

ItemSourceDestinationPort
XMLStoreFront servers in DMZXML Controllers443
STAStoreFront servers in DMZ
NetScalers
STA Controllers443
LDAPNetScalers Domain Controllers636
ICA/HDXNetScalers Citrix app servers1494/2598

 

Download Citrix StoreFront 3.6

Citrix StoreFront 3.6 is available here: https://www.citrix.com/downloads/storefront-web-interface/product-software/storefront-36.html

Check out StoreFront 3.6 documentation here: http://docs.citrix.com/en-us/storefront/3-6.html

Release Date: Jun 1, 2016
Subscription Advantage eligibility date: May 18, 2016

Install Citrix StoreFront 3.6

We already discussed how to install Citrix StoreFront in this article: Lab: Part 14 – Citrix StoreFront 3.x.

Learn more about StoreFront 3.6: http://docs.citrix.com/en-us/storefront/3-6/about-36.html

For this article, below is the most exciting new feature:

  • Non-domain joined server deployment. Prior to this version, you could install StoreFront only on servers that were joined to an Active Directory domain. This version supports installation and configuration of StoreFront on non-domain joined servers. Note that in a non-domain joined server deployment, you must delegate authentication to delivery controllers and server groups are not supported. 

Configure StoreFront

Let’s start with the configuration of Citrix StoreFront. We will configure a new Store with the default configuration to validate that everything is working fine.

As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.

  • Base URL: http://dmzsf02/ (Not HTTPS for now)
New base URL lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 667 1465158330

New base URL

Select Next.

Getting Started lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 668 1465158489

Getting Started

  • Store Name: External 
  • Set this Receiver for Web site as IIS default 
Store Name and Access configuration lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 669 1465158509

Store Name and Access configuration

Now we need to add the controllers.

Delivery controllers configuration lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 670 1465158528

Delivery controllers configuration

To validate the controllers, HTTP will be used for now on the port 8090.

  • Name: XD7
  • Type: XenDesktop (7.0 or higher)
  • Servers: cdc01.citrixguru.lab and cdc02.citrixguru.lab
  • Servers are load balanced
  • Type: HTTP
  • Port: 8090
Delivery controllers configuration suite lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 673 1465158615

Delivery controllers configuration suite

Delivery controllers are configured within Citrix StoreFront

Delivery controllers configured lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 674 1465158623

Delivery controllers configured

For now we will not configure Remote Access.

Remote Access lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 675 1465158642

Remote Access

Only check User Name and Password in Authentication Methods.

Authentication Methods lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 676 1465158652

Authentication Methods

StoreFront will automatically configure your controllers for Password Validation if installed on a server not in a domain.

Password Validation lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 677 1465158667

Password Validation

Disable Services URL.

Services URL lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 678 1465158678

Services URL

The new Store is created.

Store created  lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 680 1465158830

Store created

Now connect to the Store URL to validate that it is working as expected.

  • http://dmzsf02/Citrix/ExternalWeb
Store validation lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 681 1465158872

Store validation

Icons are displayed. XML communication is working properly.

Store validated lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 682 1465158947

Store validated

Secure Citrix components

XML/STA

By default and as configured in the previous step, XenDesktop does not have secure XML/STA communication. When using StoreFront externally, you must enable HTTPS for all communication.

Below is the process to enable SSL/TLS on XenDesktop controllers:

  1. Generate TLS certificates for all XenDesktop 7.x controllers with your internal CA (Make sure that your controllers trust the Root CA)
  2. Import certificates on XenDesktop controllers
  3. Register the TLS certificate for HTTPS on the server

To register the certificate on the server, you need to type the following command:

  • IP Address: IP of the server
  • Port Number: 443
  • Certificate Hash Number:
    CitrixGuru_Lab_Capture_698_1465607457 lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 698 1465607457
  • Citrix Broker Service GUID
    CitrixGuru_Lab_Capture_697_1465607445 lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 697 1465607445
    Note: the format of the GUID must be XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    Search for Citrix Broker Service which must return a result in the default location at HKEY_CLASSES_ROOT\Installer\Products\

Example:

Add SSL Certificate lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 692 1465259721 1

Add SSL Certificate

In case you make a mistake you can remove all ssl bound to the IP with the following command:


Example:

Remove SSL Certificate lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 693 1465259734 1

Remove SSL Certificate

You need to repeat the steps on all your controllers.

Once configured, you can change the transport type to HTTPS and the port to 443 in the farm configuration in StoreFront.

HTTPS/443 configuration lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 700 1465612484

HTTPS/443 configuration

Then try again to logon to validate the XML communication over HTTPS.

Source: CTX200415

Secure StoreFront website

As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.

The secure URL of our StoreFront website is : https://sft-ext.citrixguru.lab.

  1. Change Base URL to https://sf-ext.citrixguru.lab

    Base URL with HTTPS lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 699 1465612278

    Base URL with HTTPS

  2. Import SSL certificate for StoreFront website

    SSL Certificate StoreFront lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 701 1465612926

    SSL Certificate StoreFront

  3. Modify hosts file

To be able to test locally, I’ve added the following configuration in the hosts file:

  • On DMZSF01: 192.168.1.61 sf-ext.citrixguru.lab
  • On DMZSF02: 192.168.1.62 sf-ext.citrixguru.lab

Note: hosts file is located in C:\Windows\System32\drives\etc\

Make sure that IIS default website is configured as below on all StoreFront servers:

IIS SSL configuration lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 702 1465613476

IIS SSL configuration

Validate that the website is working properly in HTTPs on both servers.

HTTPS lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 703 1465613924

HTTPS

StoreFront Website SSL validation lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 704 1465613951

StoreFront Website SSL validation

StoreFront remote access configuration

NetScaler Gateway StoreFront configuration

As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.

We need to configure StoreFront in order to use NetScaler Gateway when connecting externally because we don’t want our users to connect directly to the application servers like they usually do internally.

In the Actions menu, select Manage NetScaler Gateway.

Manage NetScaler Gateway lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 705 1465624206

Manage NetScaler Gateway

Create a new NetScaler Gateway Appliance:

  1. Role: Authentication and HDX routing
  2. URL: https://labs.citrixguru.com 
  3. Name: External
new Gateway appliance lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 706 1465624298

new Gateway appliance

Add the STA servers and select Load Balance multiple STA servers.

  • STA 1: https://cdc01.citrixguru.lab:443/Scripts/ctxsta.dll
  • STA 2: https://cdc01.citrixguru.lab:443/Scripts/ctxsta.dll

In our lab, XenDesktop controllers are STA servers.

STA Configuration lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 707 1465624339

STA Configuration

Next screen, you don’t need to do anything. Select Create to finish.

Select Create to finish lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 709 1465624367

Select Create to finish

Beacons

For our lab, default configuration is OK.

Beacons configuration lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment CitrixGuru Lab Capture 711 1465624431

Beacons configuration

NetScaler Gateway

Configuration

To configure NetScaler Gateway, we could use the integrated wizard… but as we are on citrixguru.com, we will do everything in command line !

Create new servers in the configuration

Create Service Groups

Configure Service groups

Bind Service groups to servers

Create Load Balancing virtual servers

Bind virtual servers to Service groups

Bind virtual servers to monitors

Create VPN Session Actions

Create VPN Session Policies

Configure VPN virtual server

Map SSL/TLS Certificates to virtual servers

Additional configuration

Apply new X1 theme

Validations

Connect to https://lab.citrixguru.com and enter credentials.

The following is managed by NetScaler.

NetScaler Unified Gateway logon screen lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment chrome 2016 06 11 11 30 35

NetScaler Unified Gateway logon screen

 

 

 

To validate XenDesktop XML, you must have icons displayed in StoreFront.

XML validation lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment chrome 2016 06 11 11 31 01

XML validation

To validate XenDesktop STA, just click on an icon to start a new application. NetScaler will ask STA servers for a new ticket.

Here Microsoft Excel started properly.

STA validation lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment chrome 2016 06 11 11 32 11

STA validation

To troubleshoot STA, you can take a look in your NetScaler Gateway virtual server, go to NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers, select your virtual server.  Under Published Applications, select STA servers.

STA troubleshooting lab: part 23 - securing citrix storefront dmz deployment Lab: Part 23 - Securing Citrix StoreFront DMZ deployment chrome 2016 06 12 18 13 40

STA troubleshooting

You can make sure that your STA servers are not down.

Secure NetScaler Gateway

Here are the guidelines:

  • Do not use HTTP
  • Always use SHA2 TLS/SSL certificates
  • Configure Perfect Forward Secrecy
  • Disable SSL3
  • Enable TLS1.1, 1.2 and 1
  • Disable RC4 ciphers
  • Enable HSTS/STS

Details about securing NetScaler Gateway are available in this post: Scoring an A+ on SSLLABS.COM with NetScaler 11 VPX

Once implemented, you can test your website here: https://www.ssllabs.com/ssltest/.

Customizations

You can customize your StoreFront website by following this article: Lab: Part 22 – Ultimate StoreFront 3 customization guide

 

We covered a lot in this post, and hope you found it useful. What has your experience been like with DMZ implementation? There are multiple ways to do it, and we’d love to learn how your design may differ. If you have any questions or suggestions, leave us a note in the comments.

Make sure to catch up this series' previous posts first!

 

Nicolas ignoto
Nicolas ignoto
Nicolas ignoto

Comments

  1. hello thanks again for a nice blogpost. Perhaps a stupid question but what do you use as your front-end and back-end firewalls

  2. Hello again, Do you have a tuorial on how to set pfsense up in your home lab?
    Cheers
    Anthony

    • Hello, not at this time. But the setup is not too difficult. You need one VM with 2 network adapters and then configure your firewall as your gateway in your dmz.

  3. Pavan

    Hello Nicolas,
    Thanks for the article.
    So do you have two Storefront servers for Internal use which are joined to the AD and two for external as standalone for DMZ?
    Thanks,
    Pavan

    • Yeah. Technically you can use the same for internal and external but in highly secure environment, it is required to have separate servers for external access.

  4. Guillaume

    Perfect Blog ! Thx for all tutorials 😉

  5. Deepak Sanadi

    awesome .Thank you very much

Submit a Comment

Leave a Reply