Securing StoreFront DMZ Deployment

A complete guide to deploy Citrix StoreFront 3.6 in DMZ with NetScaler Gateway.

More from the Lab!


It’s been a while since CitrixGuru posted a lab article, but we are excited to go in depth with StoreFront once again, this time exploring DMZ implementation.

Most large organizations protect their internal network using a DMZ. The purpose of having a DMZ is to secure access (usually from the Internet) to the internal network. Any potentially vulnerable service that is being provided to users on the external network can be placed in the DMZ and will have limited connectivity with the internal network. Citrix services, such as our beloved Web Interface and his little brother StoreFront, are often used alongside NetScaler Gateway to provide remote access for corporate users.

Citrix recently released StoreFront 3.6, bringing back non-domain deployment which removes the need to have a specific Active Directory Domain in the DMZ. Previously, StoreFront DMZ implementation was a pain-in-the-you-know-what because SFT servers had to be members of an AD domain, but now StoreFront servers can be standalone in a WORKGROUP configuration. They will not sync their configurations, but will act the same way as Web Interface 5.x servers, delegating the authentication to the controllers located in the LAN. In that case, it is important to secure XML/STA communication between the two zones with HTTPS.

I’ve seen many articles online dealing with DMZ implementation and most of them leave the Web servers in the LAN, which does not fit the needs of large organizations.

In this article, we will review the most common DMZ architecture with two firewalls (between Internet/DMZ and between DMZ/LAN). Citrix StoreFront servers and NetScaler VPX appliances will be located in the DMZ, XenDesktop controllers and application servers in the LAN. Let’s get to it.

Lab Architecture

Below is the diagram of our lab:

Securing StoreFront DMZ Schema

Lab configuration


  • 2 NetScalers configured in HA located in DMZ
  • NS01 – NSIP:
  • NS02 – NSIP:
  • HA IP:
  • Zone: DMZ
  • Version 11.0 62.10nc
  • MobaXterm and Putty installed on the Client


  • 2 servers running 2012 R2
  • DMZSF01 –
  • DMZSF02 –
  • GTW
  • 1024 MB of RAM
  • 2 vCPU
  • 50GB disk
  • StoreFront
  • Zone: DMZ
  • URL: sf-ext.citrixguru.lab
  • LB IP:
  • NetScaler Gateway IP:
  • Port : 443 (HTTPS)


  • 2 servers running 2012 R2
  • CDC01 –
  • CDC02 –
  • XenDeskop 7.9
  • XML Port : 8090
  • XML Secure Port: 443
  • STA 8090
  • STA Secure Port: 443
  • SSL/TLS Port: 443
  • Zone: LAN
  • Domain: citrixguru.lab
  • LB IP :


For this post, you need to have the following items ready:


You need to open the following ports in your back-end firewall:

XMLStoreFront servers in DMZXML Controllers443
STAStoreFront servers in DMZ
STA Controllers443
LDAPNetScalers Domain Controllers636
ICA/HDXNetScalers Citrix app servers1494/2598


Download Citrix StoreFront 3.6

Citrix StoreFront 3.6 is available here:

Check out StoreFront 3.6 documentation here:

Release Date: Jun 1, 2016
Subscription Advantage eligibility date: May 18, 2016

Install Citrix StoreFront 3.6

We already discussed how to install Citrix StoreFront in this article: Lab: Part 14 – Citrix StoreFront 3.x.

Learn more about StoreFront 3.6:

For this article, below is the most exciting new feature:

  • Non-domain joined server deployment. Prior to this version, you could install StoreFront only on servers that were joined to an Active Directory domain. This version supports installation and configuration of StoreFront on non-domain joined servers. Note that in a non-domain joined server deployment, you must delegate authentication to delivery controllers and server groups are not supported. 

Configure StoreFront

Let’s start with the configuration of Citrix StoreFront. We will configure a new Store with the default configuration to validate that everything is working fine.

As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.

  • Base URL: http://dmzsf02/ (Not HTTPS for now)
New base URL
New base URL

Select Next.

Getting Started
Getting Started
  • Store Name: External 
  • Set this Receiver for Web site as IIS default 
Store Name and Access configuration
Store Name and Access configuration

Now we need to add the controllers.

Delivery controllers configuration
Delivery controllers configuration

To validate the controllers, HTTP will be used for now on the port 8090.

  • Name: XD7
  • Type: XenDesktop (7.0 or higher)
  • Servers: cdc01.citrixguru.lab and cdc02.citrixguru.lab
  • Servers are load balanced
  • Type: HTTP
  • Port: 8090
Delivery controllers configuration suite
Delivery controllers configuration suite

Delivery controllers are configured within Citrix StoreFront

Delivery controllers configured
Delivery controllers configured

For now we will not configure Remote Access.

Remote Access
Remote Access

Only check User Name and Password in Authentication Methods.

Authentication Methods
Authentication Methods

StoreFront will automatically configure your controllers for Password Validation if installed on a server not in a domain.

Password Validation
Password Validation

Disable Services URL.

Services URL
Services URL

The new Store is created.

Store created
Store created

Now connect to the Store URL to validate that it is working as expected.

  • http://dmzsf02/Citrix/ExternalWeb
Store validation
Store validation

Icons are displayed. XML communication is working properly.

Store validated
Store validated

Secure Citrix components


By default and as configured in the previous step, XenDesktop does not have secure XML/STA communication. When using StoreFront externally, you must enable HTTPS for all communication.

Below is the process to enable SSL/TLS on XenDesktop controllers:

  1. Generate TLS certificates for all XenDesktop 7.x controllers with your internal CA (Make sure that your controllers trust the Root CA)
  2. Import certificates on XenDesktop controllers
  3. Register the TLS certificate for HTTPS on the server

To register the certificate on the server, you need to type the following command:

  • IP Address: IP of the server
  • Port Number: 443
  • Certificate Hash Number:
  • Citrix Broker Service GUID
    Note: the format of the GUID must be XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    Search for Citrix Broker Service which must return a result in the default location at HKEY_CLASSES_ROOT\Installer\Products\


Add SSL Certificate
Add SSL Certificate

In case you make a mistake you can remove all ssl bound to the IP with the following command:


Remove SSL Certificate
Remove SSL Certificate

You need to repeat the steps on all your controllers.

Once configured, you can change the transport type to HTTPS and the port to 443 in the farm configuration in StoreFront.

HTTPS/443 configuration
HTTPS/443 configuration

Then try again to logon to validate the XML communication over HTTPS.

Source: CTX200415

Secure StoreFront website

As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.

The secure URL of our StoreFront website is : https://sft-ext.citrixguru.lab.

  1. Change Base URL to https://sf-ext.citrixguru.lab

    Base URL with HTTPS
    Base URL with HTTPS
  2. Import SSL certificate for StoreFront website

    SSL Certificate StoreFront
    SSL Certificate StoreFront
  3. Modify hosts file

To be able to test locally, I’ve added the following configuration in the hosts file:

  • On DMZSF01: sf-ext.citrixguru.lab
  • On DMZSF02: sf-ext.citrixguru.lab

Note: hosts file is located in C:\Windows\System32\drives\etc\

Make sure that IIS default website is configured as below on all StoreFront servers:

IIS SSL configuration
IIS SSL configuration

Validate that the website is working properly in HTTPs on both servers.

StoreFront Website SSL validation
StoreFront Website SSL validation

StoreFront remote access configuration

NetScaler Gateway StoreFront configuration

As StoreFront servers in Workgroup are standalone, you need to repeat the same actions on both servers.

We need to configure StoreFront in order to use NetScaler Gateway when connecting externally because we don’t want our users to connect directly to the application servers like they usually do internally.

In the Actions menu, select Manage NetScaler Gateway.

Manage NetScaler Gateway
Manage NetScaler Gateway

Create a new NetScaler Gateway Appliance:

  1. Role: Authentication and HDX routing
  2. URL: 
  3. Name: External
new Gateway appliance
new Gateway appliance

Add the STA servers and select Load Balance multiple STA servers.

  • STA 1: https://cdc01.citrixguru.lab:443/Scripts/ctxsta.dll
  • STA 2: https://cdc01.citrixguru.lab:443/Scripts/ctxsta.dll

In our lab, XenDesktop controllers are STA servers.

STA Configuration
STA Configuration

Next screen, you don’t need to do anything. Select Create to finish.

Select Create to finish
Select Create to finish


For our lab, default configuration is OK.

Beacons configuration
Beacons configuration

NetScaler Gateway


To configure NetScaler Gateway, we could use the integrated wizard… but as we are on, we will do everything in command line !

Create new servers in the configuration

Create Service Groups

Configure Service groups

Bind Service groups to servers

Create Load Balancing virtual servers

Bind virtual servers to Service groups

Bind virtual servers to monitors

Create VPN Session Actions

Create VPN Session Policies

Configure VPN virtual server

Map SSL/TLS Certificates to virtual servers

Additional configuration

Apply new X1 theme


Connect to and enter credentials.

The following is managed by NetScaler.

NetScaler Unified Gateway logon screen
NetScaler Unified Gateway logon screen




To validate XenDesktop XML, you must have icons displayed in StoreFront.

XML validation
XML validation

To validate XenDesktop STA, just click on an icon to start a new application. NetScaler will ask STA servers for a new ticket.

Here Microsoft Excel started properly.

STA validation
STA validation

To troubleshoot STA, you can take a look in your NetScaler Gateway virtual server, go to NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers, select your virtual server.  Under Published Applications, select STA servers.

STA troubleshooting
STA troubleshooting

You can make sure that your STA servers are not down.

Secure NetScaler Gateway

Here are the guidelines:

  • Do not use HTTP
  • Always use SHA2 TLS/SSL certificates
  • Configure Perfect Forward Secrecy
  • Disable SSL3
  • Enable TLS1.1, 1.2 and 1
  • Disable RC4 ciphers
  • Enable HSTS/STS

Details about securing NetScaler Gateway are available in this post: Scoring an A+ on SSLLABS.COM with NetScaler 11 VPX

Once implemented, you can test your website here:


You can customize your StoreFront website by following this article: Lab: Part 22 – Ultimate StoreFront 3 customization guide


We covered a lot in this post, and hope you found it useful. What has your experience been like with DMZ implementation? There are multiple ways to do it, and we’d love to learn how your design may differ. If you have any questions or suggestions, leave us a note in the comments.

More from the Lab!



    • Hello, not at this time. But the setup is not too difficult. You need one VM with 2 network adapters and then configure your firewall as your gateway in your dmz.

  1. Hello Nicolas,
    Thanks for the article.
    So do you have two Storefront servers for Internal use which are joined to the AD and two for external as standalone for DMZ?

  2. Nicolas, thank you so much for sharing this article.
    I was wondering if it would be possible to use a similar configuration of standalone Storefront servers to enable Citrix SSO for users to connect from an untrusted domain?

  3. hello guru. Thank you for this very informative post. Can you elaborate on how to create the DMZ? Perhaps a screenshot from your lab? Cheers Rod

Comments are closed.