A complete guide to deploy Citrix StoreFront 3.6 in DMZ with NetScaler Gateway.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
It’s been a while since CitrixGuru posted a lab article, but we are excited to go in depth with StoreFront once again, this time exploring DMZ implementation.
Most large organizations protect their internal network using a DMZ. The purpose of having a DMZ is to secure access (usually from the Internet) to the internal network. Any potentially vulnerable service that is being provided to users on the external network can be placed in the DMZ and will have limited connectivity with the internal network. Citrix services, such as our beloved Web Interface and his little brother StoreFront, are often used alongside NetScaler Gateway to provide remote access for corporate users.
Citrix recently released StoreFront 3.6, bringing back non-domain deployment which removes the need to have a specific Active Directory Domain in the DMZ. Previously, StoreFront DMZ implementation was a pain-in-the-you-know-what because SFT servers had to be members of an AD domain, but now StoreFront servers can be standalone in a WORKGROUP configuration. They will not sync their configurations, but will act the same way as Web Interface 5.x servers, delegating the authentication to the controllers located in the LAN. In that case, it is important to secure XML/STA communication between the two zones with HTTPS.
I’ve seen many articles online dealing with DMZ implementation and most of them leave the Web servers in the LAN, which does not fit the needs of large organizations.
In this article, we will review the most common DMZ architecture with two firewalls (between Internet/DMZ and between DMZ/LAN). Citrix StoreFront servers and NetScaler VPX appliances will be located in the DMZ, XenDesktop controllers and application servers in the LAN. Let’s get to it.
Lab Architecture
Below is the diagram of our lab:
Lab configuration
NetScalers
- 2 NetScalers configured in HA located in DMZ
- NS01 – NSIP: 192.168.1.199
- NS02 – NSIP: 192.168.1.200
- HA IP: 192.168.1.201
- Zone: DMZ
- Version 11.0 62.10nc
- MobaXterm and Putty installed on the Client
StoreFront
- 2 servers running 2012 R2
- DMZSF01 – 192.168.1.61/24
- DMZSF02 – 192.158.1.62/24
- GTW 192.168.1.99
- 1024 MB of RAM
- 2 vCPU
- 50GB disk
- StoreFront 3.6.0.33
- Zone: DMZ
- WORKGROUP
- URL: sf-ext.citrixguru.lab
- LB IP: 192.168.1.23
- NetScaler Gateway IP: 192.168.1.22
- Port : 443 (HTTPS)
Controllers
- 2 servers running 2012 R2
- CDC01 – 10.0.0.71
- CDC02 – 10.0.0.72
- XenDeskop 7.9
- XML Port : 8090
- XML Secure Port: 443
- STA 8090
- STA Secure Port: 443
- SSL/TLS Port: 443
- Zone: LAN
- Domain: citrixguru.lab
- LB IP : 192.168.1.24
Requirements
For this post, you need to have the following items ready:
- NetScaler HA pair must be configured. See Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- XenDesktop farm must be configured. See Lab: Part 11 – Install XenDesktop 7.6 and Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- SSL/TLS certificates generated for all XenDesktop controllers and for StoreFront URL (Ex : sf-ext.citrixguru.lab). We explained how to generate certificate in this article: Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- LDAP Authentication must be configured on the NetScalers. See Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11 and Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
Ports
You need to open the following ports in your back-end firewall:
| Item | Source | Destination | Port |
|---|---|---|---|
| XML | StoreFront servers in DMZ | XML Controllers | 443 |
| STA | StoreFront servers in DMZ NetScalers | STA Controllers | 443 |
| LDAP | NetScalers | Domain Controllers | 636 |
| ICA/HDX | NetScalers | Citrix app servers | 1494/2598 |
Download Citrix StoreFront 3.6
Citrix StoreFront 3.6 is available here: https://www.citrix.com/downloads/storefront-web-interface/product-software/storefront-36.html
Check out StoreFront 3.6 documentation here: http://docs.citrix.com/en-us/storefront/3-6.html
Release Date: Jun 1, 2016
Subscription Advantage eligibility date: May 18, 2016
Install Citrix StoreFront 3.6
We already discussed how to install Citrix StoreFront in this article: Lab: Part 14 – Citrix StoreFront 3.x.
Learn more about StoreFront 3.6: http://docs.citrix.com/en-us/storefront/3-6/about-36.html
For this article, below is the most exciting new feature:
- Non-domain joined server deployment. Prior to this version, you could install StoreFront only on servers that were joined to an Active Directory domain. This version supports installation and configuration of StoreFront on non-domain joined servers. Note that in a non-domain joined server deployment, you must delegate authentication to delivery controllers and server groups are not supported.
Configure StoreFront
Let’s start with the configuration of Citrix StoreFront. We will configure a new Store with the default configuration to validate that everything is working fine.
As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.
- Base URL: http://dmzsf02/ (Not HTTPS for now)
Select Next.
- Store Name: External
- Set this Receiver for Web site as IIS default
Now we need to add the controllers.
To validate the controllers, HTTP will be used for now on the port 8090.
- Name: XD7
- Type: XenDesktop (7.0 or higher)
- Servers: cdc01.citrixguru.lab and cdc02.citrixguru.lab
- Servers are load balanced
- Type: HTTP
- Port: 8090
Delivery controllers are configured within Citrix StoreFront
For now we will not configure Remote Access.
Only check User Name and Password in Authentication Methods.
StoreFront will automatically configure your controllers for Password Validation if installed on a server not in a domain.
Disable Services URL.
The new Store is created.
Now connect to the Store URL to validate that it is working as expected.
- http://dmzsf02/Citrix/ExternalWeb
Icons are displayed. XML communication is working properly.
Secure Citrix components
XML/STA
By default and as configured in the previous step, XenDesktop does not have secure XML/STA communication. When using StoreFront externally, you must enable HTTPS for all communication.
Below is the process to enable SSL/TLS on XenDesktop controllers:
- Generate TLS certificates for all XenDesktop 7.x controllers with your internal CA (Make sure that your controllers trust the Root CA)
- Import certificates on XenDesktop controllers
- Register the TLS certificate for HTTPS on the server
To register the certificate on the server, you need to type the following command:
|
1 |
netsh http add sslcert ipport=<IP address>:<Port Number> certhash=<Certificate Hash Number> appid={<Citrix Broker Service GUID>} |
- IP Address: IP of the server
- Port Number: 443
- Certificate Hash Number:
- Citrix Broker Service GUID
Note: the format of the GUID must be XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Search for Citrix Broker Service which must return a result in the default location at HKEY_CLASSES_ROOT\Installer\Products\
Example:
In case you make a mistake you can remove all ssl bound to the IP with the following command:
|
1 |
netsh http del sslcert ipport=<IP address>:<Port Number> |
Example:
You need to repeat the steps on all your controllers.
Once configured, you can change the transport type to HTTPS and the port to 443 in the farm configuration in StoreFront.
Then try again to logon to validate the XML communication over HTTPS.
Source: CTX200415
Secure StoreFront website
As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.
The secure URL of our StoreFront website is : https://sft-ext.citrixguru.lab.
- Change Base URL to https://sf-ext.citrixguru.lab
Base URL with HTTPS - Import SSL certificate for StoreFront website
SSL Certificate StoreFront - Modify hosts file
To be able to test locally, I’ve added the following configuration in the hosts file:
- On DMZSF01: 192.168.1.61 sf-ext.citrixguru.lab
- On DMZSF02: 192.168.1.62 sf-ext.citrixguru.lab
Note: hosts file is located in C:\Windows\System32\drives\etc\
Make sure that IIS default website is configured as below on all StoreFront servers:
Validate that the website is working properly in HTTPs on both servers.
StoreFront remote access configuration
NetScaler Gateway StoreFront configuration
As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.
We need to configure StoreFront in order to use NetScaler Gateway when connecting externally because we don’t want our users to connect directly to the application servers like they usually do internally.
In the Actions menu, select Manage NetScaler Gateway.
Create a new NetScaler Gateway Appliance:
- Role: Authentication and HDX routing
- URL: https://labs.citrixguru.com
- Name: External
Add the STA servers and select Load Balance multiple STA servers.
- STA 1: https://cdc01.citrixguru.lab:443/Scripts/ctxsta.dll
- STA 2: https://cdc01.citrixguru.lab:443/Scripts/ctxsta.dll
In our lab, XenDesktop controllers are STA servers.
Next screen, you don’t need to do anything. Select Create to finish.
Beacons
For our lab, default configuration is OK.
NetScaler Gateway
Configuration
To configure NetScaler Gateway, we could use the integrated wizard… but as we are on citrixguru.com, we will do everything in command line !
Create new servers in the configuration
|
1 2 3 4 |
add server 10.0.0.71 10.0.0.71 add server 10.0.0.72 10.0.0.72 add server 192.168.1.62 192.168.1.62 add server 192.168.1.61 192.168.1.61 |
Create Service Groups
|
1 2 |
add serviceGroup svcgrp-sft-ext SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add serviceGroup svcgrp-ddc SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO |
Configure Service groups
|
1 2 |
set ssl serviceGroup svcgrp-sft-ext -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED set ssl serviceGroup svcgrp-ddc -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED |
Bind Service groups to servers
|
1 2 3 4 5 |
bind serviceGroup svcgrp-sft-ext 10.0.0.71 443 bind serviceGroup svcgrp-sft-ext 10.0.0.72 443 bind serviceGroup svcgrp-ddc 10.0.0.71 443 bind serviceGroup svcgrp-ddc 10.0.0.72 443 |
Create Load Balancing virtual servers
|
1 2 3 |
add lb vserver vslb-sft-ext SSL 192.168.1.23 443 -persistenceType SOURCEIP -cltTimeout 180 add lb vserver vslb-ddc SSL 192.168.1.24 443 -persistenceType NONE -cltTimeout 180 add vpn vserver vsng-sft-ext SSL 192.168.1.22 443 -Listenpolicy NONE |
Bind virtual servers to Service groups
|
1 2 |
bind lb vserver vslb-sft-ext svcgrp-sft-ext bind lb vserver vslb-ddc svcgrp-ddc |
Bind virtual servers to monitors
|
1 2 |
bind serviceGroup svcgrp-sft-ext -monitorName https-ecv bind serviceGroup vslb-ddc -monitorName https-ecv |
Create VPN Session Actions
|
1 2 |
add vpn sessionAction act-os-sft-ext -splitTunnel OFF -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://192.168.1.23/Citrix/ExternalWeb" -ClientChoices OFF -ntDomain citrixguru.lab -clientlessVpnMode OFF -storefronturl "https://sf-ext.citrixguru.lab" add vpn sessionAction act-wb-sft-ext -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -homePage "https://192.168.1.23/Citrix/ExternalWeb" -icaProxy ON -wihome "https://192.168.1.23/Citrix/ExternalWeb" -ClientChoices OFF -ntDomain citrixguru.lab -clientlessVpnMode OFF |
Create VPN Session Policies
|
1 2 |
add vpn sessionPolicy pol-os-sft-ext "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" act-os-sft-ext add vpn sessionPolicy pol-wb-sft-ext "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" act-wb-sft-ext |
Configure VPN virtual server
|
1 2 3 4 5 6 7 8 9 10 |
bind vpn vserver vsng-sft-ext -policy LDAP_POL_REMOTEUSERS bind vpn vserver vsng-sft-ext -staServer "https://cdc02.citrixguru.lab:443/Scripts/ctxsta.dll" bind vpn vserver vsng-sft-ext -staServer "https://cdc01.citrixguru.lab:443/Scripts/ctxsta.dll" bind vpn vserver vsng-sft-ext -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST bind vpn vserver vsng-sft-ext -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST bind vpn vserver vsng-sft-ext -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST bind vpn vserver vsng-sft-ext -policy _noCacheRest -priority 40 -gotoPriorityExpression END -type REQUEST bind vpn vserver vsng-sft-ext -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE bind vpn vserver vsng-sft-ext -policy pol-os-sft-ext -priority 100 bind vpn vserver vsng-sft-ext -policy pol-wb-sft-ext -priority 100 |
Map SSL/TLS Certificates to virtual servers
|
1 2 3 |
bind ssl vserver vslb-ddc -certkeyName Wildcard bind ssl vserver vsng-sft-ext -certkeyName LabCert bind ssl vserver vslb-sft-ext -certkeyName Wildcard |
Additional configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
bind ssl vserver vslb-ddc -eccCurveName P_256 bind ssl vserver vslb-ddc -eccCurveName P_384 bind ssl vserver vslb-ddc -eccCurveName P_224 bind ssl vserver vslb-ddc -eccCurveName P_521 bind ssl vserver vslb-sft-ext -eccCurveName P_256 bind ssl vserver vslb-sft-ext -eccCurveName P_384 bind ssl vserver vslb-sft-ext -eccCurveName P_224 bind ssl vserver vslb-sft-ext -eccCurveName P_521 bind ssl vserver vsng-sft-ext -eccCurveName P_256 bind ssl vserver vsng-sft-ext -eccCurveName P_384 bind ssl vserver vsng-sft-ext -eccCurveName P_224 bind ssl vserver vsng-sft-ext -eccCurveName P_521 set ssl vserver vslb-ddc -ssl3 DISABLED set ssl vserver vslb-sft-ext -ssl3 DISABLED set ssl vserver vsng-sft-ext -ssl3 DISABLED |
Apply new X1 theme
|
1 |
bind vpn vserver vsng-sft-ext -portaltheme X1 |
Validations
Connect to https://lab.citrixguru.com and enter credentials.
The following is managed by NetScaler.
To validate XenDesktop XML, you must have icons displayed in StoreFront.
To validate XenDesktop STA, just click on an icon to start a new application. NetScaler will ask STA servers for a new ticket.
Here Microsoft Excel started properly.
To troubleshoot STA, you can take a look in your NetScaler Gateway virtual server, go to NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers, select your virtual server. Under Published Applications, select STA servers.
You can make sure that your STA servers are not down.
Secure NetScaler Gateway
Here are the guidelines:
- Do not use HTTP
- Always use SHA2 TLS/SSL certificates
- Configure Perfect Forward Secrecy
- Disable SSL3
- Enable TLS1.1, 1.2 and 1
- Disable RC4 ciphers
- Enable HSTS/STS
Details about securing NetScaler Gateway are available in this post: Scoring an A+ on SSLLABS.COM with NetScaler 11 VPX
Once implemented, you can test your website here: https://www.ssllabs.com/ssltest/.
Customizations
You can customize your StoreFront website by following this article: Lab: Part 22 – Ultimate StoreFront 3 customization guide
We covered a lot in this post, and hope you found it useful. What has your experience been like with DMZ implementation? There are multiple ways to do it, and we’d love to learn how your design may differ. If you have any questions or suggestions, leave us a note in the comments.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
hello thanks again for a nice blogpost. Perhaps a stupid question but what do you use as your front-end and back-end firewalls
Hi, Thanks ! pfsense
Hello again, Do you have a tuorial on how to set pfsense up in your home lab?
Cheers
Anthony
Hello, not at this time. But the setup is not too difficult. You need one VM with 2 network adapters and then configure your firewall as your gateway in your dmz.
Hello Nicolas,
Thanks for the article.
So do you have two Storefront servers for Internal use which are joined to the AD and two for external as standalone for DMZ?
Thanks,
Pavan
Yeah. Technically you can use the same for internal and external but in highly secure environment, it is required to have separate servers for external access.
Perfect Blog ! Thx for all tutorials 😉
awesome .Thank you very much
np 🙂 happy to help
Nicolas, thank you so much for sharing this article.
I was wondering if it would be possible to use a similar configuration of standalone Storefront servers to enable Citrix SSO for users to connect from an untrusted domain?
hello guru. Thank you for this very informative post. Can you elaborate on how to create the DMZ? Perhaps a screenshot from your lab? Cheers Rod