602: StoreFront 2.

5 Enterprise
Deployment
Hands-on Lab Exercise Guide

This session is offered as both an instructor led training and a self-paced

online lab.

Make money selling Field Services

Stop by the Education and Consulting booths in the Solutions Expo to find out
how! We're here to help.
 Contents
Contents .................................................................................................................................... 1
Overview .................................................................................................................................... 2
Scenario..................................................................................................................................... 4
Exercise 1 .................................................................................................................................. 5
Configure Site2 StoreFront server for NetScaler Gateway support............................................. 5
Exercise 2 .................................................................................................................................21
Automate deployment of Citrix Receiver for domain member PCs and Test pass-through
authentication ...........................................................................................................................21
Exercise 3 .................................................................................................................................39
Configure Optimal routing for StoreFront...................................................................................39
Exercise 4 .................................................................................................................................44
Configure Failover for StoreFront Sites with user group site pinning .........................................44
Exercise 5 .................................................................................................................................50
Application Filtering in StoreFront .............................................................................................50
Exercise 6 .................................................................................................................................56
Configure Locked down store and user self-service store activation process ............................56
Overview ...................................................................................................................................56
Exercise 7 .................................................................................................................................59
Enable HTML5 client for StoreFront ..........................................................................................59

| 1 |
 Overview
Hands-on Training Module
Objective
This training will provide hands on experience with a StoreFront deployment inside of an enterprise
environment. This lab will cover how StoreFront can be used in the enterprise environment and how
to manage user workload distribution and fail over in a XenDesktop environment.

Prerequisites
Active Directory, XenDesktop and XenApp administration and management.

Audience
Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support

Lab Environment Details

The system diagram of the lab is shown below:

| 2 |
 The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All
windows applications such as XenCenter, (the XenServer GUI management tool), are accessed
from the Student Desktop.

Lab Guide Conventions

This symbol indicates particular attention must be paid to this step

Special note to offer advice or background information

reboot Text the student enters or an item they select is printed like this
VMDemo Filename mentioned in text or lines added to files during editing
Start Bold text indicates reference to a button or object
Focuses attention on a particular part of the screen (R:255 G:20 B:147)
Shows where to click or select an item on a screen shot (R:255 G:102 B:0)

List of Virtual Machines Used

VM Name IP Address Description / OS
AD.training.lab 192.168.10.11 DC/DNS/Software file share
Site1-CDC1.training.lab 192.168.10.20 Site2 Citrix Delivery Controller with StoreFront
NS.training.lab (MIP) 192.168.10.60 Management IP for NetScaler in Training lab
Student1-PC 192.168.10.100 Domain Joined Student PC
Site1-XA1 192.168.10.21 XenApp 7.5 host for Site1
Site2-AD2.remote.lab 192.168.20.11 DC /DNS /Software file share
Site2-CDC2.remote.lab 192.168.20.20 Site2 Citrix Delivery Controller with StoreFront
NS.remote.lab (MIP) 192.168.10.60 Management IP for NetScaler in Remote.lab
Site2-Student2-PC 192.168.20.60 Domain Joined Student PC
Site2-XA2 192.168.10.21 XenApp 7.5 host for Site2

Required Lab Credentials

The credentials required to connect to the environment and complete the lab exercises.
VM Name User ID Password Description

*.Training.lab User1 Citrix123 Training domain User1

*.Remote.lab User1 Citrix456 Remote domain User1
*.Training.lab CitrixAdmin Citrix123 Citrix XenDesktop Site and Domain Admin
*.Remote.lab CitrixAdmin Citrix123 Citrix XenDesktop Site and Domain Admin
*.Remote.lab Administrator Citrix123 Domain Admin

| 3 |
 NetScaler Admin nsroot nsroot Netscaler admin account

Scenario
In this Lab, the environment contains 2 enterprise domain forests joined through a cross domain
forest trust. In each domain, one XenDesktop 7.5 site was configured to allow user access to the
XenDesktop environment. In each desktop site there is one XenApp 7.5 server. Site1 delivers
Microsoft Office 2007 applications and Site 2 delivers Microsoft Office 2010 applications.

In this lab, you will configure the following items:

• Basic NetScaler Gateway configuration.

• Deploy Receivers for Windows to domain-joined PC via startup scripts.

• Configure and enable pass-through authentication on Receiver for Windows via

GPO.

• Enable Optimal routing on the StoreFront store.

• Configure user group Site Pinning and Site failover.

• Enable application filtering for the StoreFront site, and configure keywords for
mandatory application.

• Configure Locked-down Store for StoreFront.

• Enable HTML5 Receiver deployment.

| 4 |
 Exercise 1
Configure Site2 StoreFront server for NetScaler
Gateway support
Overview
In this exercise, we will be configuring Site2-CDC2.remote.lab to work with NetScaler Gateway
(192.168.20.60) and add external access to the Site2 XenDesktop Site.

Step by step guidance

Estimated time to complete this lab: 30 minutes.

Step Action
1. On the Student Desktop, open up Internet Explorer and go to ns.remote.lab. Log on with
UserID: nsroot Password: nsroot.

2. Go to System > Settings > Configure basic features. Select all features except
Application Firewall and click OK.

| 5 |
 3. Configure SSL Certificates and install the certificates loaded on the VPX. (To save time the
certificates and keys are loaded on the NetScaler server already.)
Select Traffic Management > SSL > Certificates > Install.

4. Enter the following data to install the certificate:

Certificate-Key Pair Name: Wildcard-Remote
Certificate file Name*: /nsconfig/ssl/Wildcard-remote.cer
Key File Name: /nsconfig/ssl/Wildcard-remote.cer
(The Wildcard-remote.cer file was converted from a Windows certificate export .PFX file
using a NetScaler internal Open SSL utility therefore the Key is also in the same .CER file.)
Certificate Format: PEM
Password: Citrix123
Click Create.

Do not click Close. You need to install a second certificate first.

| 6 |
 5. Enter the following data to install the second certificate:
Certificate-Key Pair Name: Wildcard-Mycitrixtraining
Certificate file Name*: /nsconfig/ssl/MCTWildcard.cer
Key File Name: /nsconfig/ssl/MyCitrixTraining.key
Certificate Format: PEM
Password: Citrix123
Click Create.

Do not click Close. You need to install an intermediate certificate next.

| 7 |
 6. Enter the following data to install an Intermediate certificate for MyCitrixtraining.net:
Certificate-Key Pair Name: Intermediate-MCT
Certificate file Name*: /nsconfig/ssl/MCTIntermediate.cer
Key File Name: (leave this field blank)
Password: (leave this field blank)
Click Create and then click Close.

7. Link the intermediate certificate to the Wildcard-mycitrixtraining certificate.

Click Traffic Management > SSL > Certificates in the navigation pane.
Click Wildcard-mycitrixtraining > Action > Link….

| 8 |
 8. Select Intermediate-MCT certificate and then click OK.

9. Verify the certificate link for Wildcard-mycitrixtraining.

Right-click the Wildcard-mycitrixtraining certificate and then click Cert Links….

Verify that the Intermediate-MCT certificate is linked and then click OK to exit the window.

10. Configure NetScaler Gateway for external access.

Click NetScaler Gateway > Configure NetScaler Gateway for Enterprise Store.

11. Click Get Started in the Welcome screen.

| 9 |
 12. Enter the NetScaler Gateway settings:
Name: SF2.mycitrixtraining.net
IP Address: 192.168.20.13
Port: 443
Select Redirect requests from port 80 to secure port
Gateway FQDN: sf2.mycitrixtraining.net
Click Continue.

13. Select Wildcard-mycitrixtraining in the Certificate field and click Continue.

| 10 |
 14. Configure the LDAP server.
Select Configure New and enter the following data.
IP Address*: 192.168.20.11
Base DN*: DC=Remote,DC=lab
Admin Base DN*: Citrixadmin@remote.lab (In a production environment, an LDAP query
account should be used.)
Server Logon Name Attribute*: sAMAccountName
Password*: Citrix123
Confirm Password*: Citrix123
Click Continue.

| 11 |
 15. Set the Enterprise Store for NetScaler Gateway using the following data.
Select XenApp / XenDesktop
Select Deployment Type*: StoreFront
StoreFront FQDN*: Site2-CDC2.remote.lab
Select Use HTTPS (It is selected by default.)
Receiver for Web Path*: /Citrix/Store2Web (Make sure the 2 is inserted in the existing
name.)
Single Sign-on Domain*: Remote.lab
STA URL*: https://Site2-CDC2.remote.lab
Click Done.

16. Create an internal use Gateway.

Click Create New NetScaler Gateway.

| 12 |
 17. Enter the following data to configure the NetScaler Gateway settings.
Name: NG.remote.lab
IP: 192.168.20.12
Select Redirect requests from port 80 to secure port set Gateway FQDN Gateway
FQDN: NG.remote.lab
Click Continue.

18. Select the Wildcard-Remote certificate and then Continue.

19. Select the LDAP Policy that you created before (192.168.20.11_LDAP_pol). (It should be
pre-selected.) Click Continue.

| 13 |
 20. Enter the following data to set the Enterprise Store for NetScaler Gateway.
Select XenApp /XenDesktop
Select Deployment Type*: StoreFront
StoreFront FQDN*: Site2-CDC2.remote.lab
Select Use HTTPS (It is selected by default.)
Receiver for Web Path*: /Citrix/Store2Web
Single Sign-on Domain*: Remote.lab
STA URL*: https://Site2-CDC2.remote.lab
Click Done.

Close Internet Explorer.

| 14 |
 21. Change the NetScaler Gateway UI to use the Green Bubble theme.
Click NetScaler Gateway > Global Settings > Change global settings.

Select the Client Experience tab.

In the UI Theme drop-down list, select Green Bubble and click OK.

22. Configure the StoreFront Site for Netscaler Gateway access.

Log on to the Site2-CDC2 VM with User ID: Remote.lab\Citrixadmin Password: Citrix123.
If a Remote Desktop Connection message appears, select Don’t ask me again for
connections to this computer and then click Yes.
Open Citrix StoreFront from the taskbar.
Click Yes in the User Account Control message, if it appears.

| 15 |
 23. Select Don’t show this again and then click Close in the Welcome screen.
Expand the Citrix StoreFront node in the left pane. Click Stores and select Store2. Click
Enable Remote Access in the Actions pane. Select No VPN tunnel. Click Add….

24. Enter the following data to add the NetScaler Gateway appliances.
Display name: SF2.MyCitrixtraining.net
NetScaler Gateway URL: https://SF2.Mycitrixtraining.net
Version: 10.0 (Build 69.4) or later
Callback URL: https://SF2.MyCitrixtraining.net (This is used by the StoreFront server to
communicate with NetScaler Gateway to validate the authentication of the LDAP services in
NetScaler.)
Click Next.

Note: In this lab, SF2.mycitrixtraining.net and SF1.mycitrixtraining.net are internal FQDNs

which are defined via a host file in the Lab VM.

| 16 |
 25. Click Add....
Enter the STA URL used on the NetScaler Gateway. (This must match the entry on the
NetScaler Gateway.)
STA URL: https://Site2-CDC2.remote.lab
Click OK and then click Create.

26. Add a Second NetScaler Gateway using the following data.

Click Add.
Display name: NG.remote.lab
NetScaler Gateway URL: https://ng.remote.lab
Version: 10.0 (Build 69.4) or later
Callback URL: https://ng.remote.lab (This is used by the StoreFront server to communicate
with the Netscaler Gateway to validate the authentication of the LDAP services in
NetScaler.)
Click Next.

| 17 |
 27. Click Add....
Enter the STA URL used on NetScaler Gateway. (This must match with the entry on
NetScaler Gateway.)
STA URL: https://Site2-CDC2.remote.lab
Click OK and then click Create.

28. Enable Remote Access and set the Default appliance.

Select No VPN tunnel.
Select both NetScaler Gateway appliances.
Select SF2.MyCitrixtraining.net as the Default appliance and click OK.

| 18 |
 29. Add Domain pass-through to the Authentication Methods.
Click Authentication in the left pane.
Click Add/Remove Methods in the Actions pane.
Select Domain pass-through to enable pass-through authentication and then click OK.

30. Enable Receiver for Web to accept domain pass-through for both Store2Web and Site2VDI
Receiver.
Click Receiver for Web > Store2 Receiver.
Click Choose Authentication Methods in the Actions pane.
Select Domain pass-through to enable pass-through authentication and then click OK.
Click Receiver for Web > Site2VDI Receiver.
Click Choose Authentication Methods in the Actions pane.
Select Domain pass-through to enable pass-through authentication and then click OK.

| 19 |
 31. Enable Trust XML Service Port so the pass-through authentication will work.
Open Windows PowerShell from the taskbar of the Site2-CDC2 VM.
Enter the following commands:
asnp Citrix*
set-brokerSite -TrustRequestsSentToTheXmlServicePort $True

The Store2 Receiver is now configured to work with Netscaler Gateway. Site2VDI Receiver
is an internal network only store, so you do not have to associate a NetScaler Gateway with
it.

Exercise Summary
In this exercise, you configured NetScaler Gateway and multiple StoreFront Stores to support Pass-
through authentication.

| 20 |
 Exercise 2
Automate deployment of Citrix Receiver for domain
member PCs and Test pass-through authentication
Overview
In this exercise you will deploy Citrix Receiver to domain-joined PCs and enable pass-through
authentication using a GPO.

Step by step guidance

Estimated time to complete this lab: 30 minutes.

Step Action
1. Log on to the Site2-AD2.remote.lab VM using the remote.lab\Administrator and
Citrix123 credentials.
If a Remote Desktop Connection message appears, select Don’t ask me again for
connections to this computer and then click Yes.

| 21 |
 2. Open Windows Explorer (folder icon) from the taskbar and navigate to the
c:\Software\Receiver\Startup_Logon_Scripts\ folder.
Right-click the CheckAndDeployCitrixReceiverPerMachineStartupScript.bat file and
click Copy. Press Ctrl +V to paste a copy of the file in the same folder.
Rename the copied file to
CheckAndDeployCitrixReceiver4PerMachineStartupScript.bat (or any name you can
identify). Note: The extension for the file is already .BAT.)
Right-click your copy of the file and click Edit to open the
CheckAndDeployCitrixReceiver4PerMachineStartupScript.bat file.

*The Scripts used in this lab are copied from the XenDesktop ISO media. Under the
Receiver for Windows folder. There are also uninstall scripts in the folder, but we will not
use them in this lab.

| 22 |
 3. In Notepad, click Edit > Go To… and enter Line number 47. Click Go To.
Use the following data to change the entries.
set DesiredVersion=14.1
set DeployDirectory=\\AD2.remote.lab\Software\Receiver
set logshare=\\AD2.remote.lab\software\log
set CommandLineOptions=/includeSSON /Silent

Note: Ensure that you change the domain name from “training.lab” to “remote.lab”.
Failure to do so will result in an error in Step 26 of this exercise.

Click Edit > Find…, type CitrixReceiver.exe and click Find Next.
Add /includeSSON to the line after CitrixReceiver.exe, if it is not already there.

Click File > Save to save the file and then close Notepad.

| 23 |
 4. Open Group Policy Management on the Site2-Ad2.remote.lab VM.
Click the Server Manager icon in the taskbar.
Click Tools > Group Policy Management.

5. Expand Forest:remote.lab > Domains > remote.lab > Group Policy Objects, right-
click Group Policy Objects and click New.
Type Receiver Deployment in the Name field and then click OK.

6. Right-click the Receiver Deployment GPO under the Group Policy Objects node and
click Edit.

| 24 |
 7. Configure the Startup Script.
Expand Computer Configuration > Policies > Windows Settings > Scripts
(Startup/Shutdown).
Double-click on Startup.

8. Add a startup script in the GPO store.

Click Show Files… to open the AD sysvol store.

| 25 |
 9. Copy the startup script you edited to the sysvol store.
Click Windows Explorer in the taskbar and return to the
c:\Software\Receiver\Startup_Logon_Scripts folder. Right-click the
CheckAndRemoteCitrixReceiver4PerMachineStartupScript file that you edited and
click Copy.
Click Windows Explorer in the taskbar and return to the Startup folder. Right-click in
the Startup folder and click Paste.
Close the Startup folder window.

10. In the Startup Properties window, click Add. Click Browse. Select the
CheckAndDeployCitrixReceiver4PerMachineStartupScript.bat script. Click Open
and then click OK.

Now the Startup script is configured for the Receiver Deployment policy.

| 26 |
 11. Click OK to close the properties.
Close the Group Policy Management Editor window.

12. Create a pass-through authentication policy.

In the Group Policy Management window, right-click Group Policy Objects and then
click New.
Type Receiver pass-through enabled as the name of the policy and click OK.

| 27 |
 13. Add the ICAClient.ADM template to configure the ICA client for pass-through
authentication.
Right-click the Receiver pass-through enabled policy and click Edit.
Double-click Computer Configuration > Policies > Administrative Templates.
Right-click Administrative Templates and click Add/Remove Templates > Add.

14. Add the ICAClient.ADM template.

Navigate to c:\software\Receiver\.
Select icaclient.adm.
Click Open.

| 28 |
 15. Click Close.

16. Configure the StoreFront Account List for the Receiver pass-through enabled policy in
the Group Policy Management Editor.
Navigate to Computer Configuration > Policies > Administrative Templates >
Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver >
Storefront. Double-click Storefront Accounts List.

| 29 |
 17. Click Enabled.
Click Show….
In the Value field, type:
Store2;https://site2-cdc2.remote.lab/Citrix/Store2/discovery;on;Site2 Store
Explanation of the text you are entering in the Value field:
Green Text: Name of the Store configured on StoreFront Site
Black Text: StoreFront URL for the Store discovery
Red text: Enables the Store
Blue Text: Site name displayed in Receiver
Click OK and OK to close the window.

| 30 |
 18. Enable user Account pass-through for Receiver.
Click User authentication in the left pane of the Group Policy Management Editor and
then double-click Local user name and password.
Select Enabled.
Select the following options:
Enable pass-through authentication
Allow pass-through authentication for all ICA connections
Click OK.

| 31 |
 19. Configure the Zone Assignment List using Group Policy Management to allow pass-
through authentication for domain-joined PCs. The StoreFront URL needs to be in the
trusted intranet zone, if not the pass-through option will fail and fall back to form-based
user authentication.
Double-click Computer Configuration > Policies > Administrative Templates >
Windows Components > Internet Explorer > Internet Control Panel > Security
Page.
Double-click Site to Zone Assignment List in the left pane and select Enabled.
Click Show….
Type *://*.training.lab in the Value name field and set the Value to 1.
Add the remote.lab to the zone assignments.
Type *://*.remote.lab in the Value name field and set the Value to 1.
(This makes the training.lab and remote.lab URL trusted as an Intranet site.) This
is required for Receiver for Web to allow pass-through. We have multiple
domains so we are adding both domains to allow users to access StoreFront
sites in both domains.
Click OK and then click OK again.

Close the Group Policy Management Editor and the Group Policy Management
window.

| 32 |
 20. Create an OU for the Client Desktop, which will be used to link to the Receiver
Deployment GPO.
Open Server Manager from the taskbar, if you previously closed it.
Select Tools > Active Directory User and Computers.
Click remote.lab and then click Action > New > Organizational Unit.

Type Client Desktop in the Name field and then click OK.

| 33 |
 21. Verify that the Client Desktop OU is created.

22. In Server Manager, select Tools > Group Policy Management.

Right-click the Client Desktop OU and click Link an Existing GPO….

| 34 |
 23. Select the two GPOs created in the previous lab steps.
Press Ctrl and select the Receiver Deployment and Receiver Pass-through enabled
GPOs and then click OK.

24. Verify that no Citrix Receiver (ICA client) is installed.

Power on Site2-Student2-PC in XenCenter (if it is not already started.)
Log on to Site2-Student2-PC using the Remote.lab\User1 and Citrix456 credentials.
Note: You will not be able to log on to this VM using a Remote Desktop
connection.
Click Start > Control Panel > Uninstall a program.
Verify that no Citrix Receiver is installed.
Shut down the Site2-Student2-PC from XenCenter.
At this time, the Student2-PC is only a domain member PC in the Computers OU.

| 35 |
 25. Log on to the Site2-AD2.remote.lab VM using the remote\CitrixAdmin and Citrix123
credentials.
Note: If you are logged on with the remote\Administrator account, you can sign out by
clicking Start > Shut down or sign out > Sign out. Click Send Ctrl+Alt+Del
(Ctrl+Alt+Insert) to log on with the remote\CitrixAdmin account.

Click Server Manager > Tools > Active Directory User and Computers. Select the
remote.lab > Computers > Student2-PC computer object and drag it to the remote.lab
> Client Desktop OU. Click Yes.

| 36 |
 26. Power on the Site2-Student2-PC VM.
Log on using the Remote.lab\user1 and Citrix456 credentials.
Click Start > Citrix Receiver.
Verify that user pass-through works. That is, you are presented with the following screen
without having to enter your credentials in Citrix Receiver. If the pass-through did not
work, then reboot the Site2-Student2-PC one more time.

Click Start and notice that Microsoft Excel 2010 has been added to the Start > All
Programs menu.

If pass-through does not work after the reboot, verify Steps 16-19 in this exercise. The
StoreFront site requires Local Intranet security zone rights.

| 37 |
 27. From the Site2-Student2-PC VM, open up Internet Explorer and log on to Citrix
Receiver.
Type https://site2-cdc2.remote.lab/Citrix/Store2web in the browser and press Enter.
Click Log on.
Verify that pass-through works. That is, you see the available applications and desktops
without having to enter credentials (remote\user1 and Citrix456).

Close both instances of Citrix Receiver.

Exercise Summary
In this exercise, you:

• Configured Receiver for Windows deployment using GPOs.

• Configured pass-through authentication

• Configured the store for Citrix Receiver for Windows via GPOs.

• Validated the deployment and that pass-through authentication works.

| 38 |
 Exercise 3
Configure Optimal routing for StoreFront
Overview
In this exercise, we will be demonstrate Optimal routing configuration to route all Site1 and Site2
connections through two independent gateways.

Step by step guidance

Estimated time to complete this lab: 15 minutes.

Step Action
1. Configure Optimal routing for Store2 to route XenDesktop Site 1 HDX traffic through
SF1.mycitrixtraining.net gateway and also force the Site2 traffic through the internal
ng.remote.lab gateway. (This is an example use case to demonstrate how optimal
gateway routing can be used.in two different ways for two different XenDesktop sites)
Why do we want to route all ICA traffic through NetScaler Gateway?
1. This forces all client connections to be protected via SSL.
2. Routing ICA traffic through NetScaler helps HDX Insight to collect NetFlow data.

| 39 |
 2. Add the training Site1 external NetScaler Gateway to the Site 2 StoreFront server store
named Remote access. (This is optional, but it helps administrators identify and
document which NetScaler Gateway is being used in the store.)
On the Site2-CDC2 VM, click Citrix Studio in the taskbar and then click Citrix
StoreFront > Stores > Store2.
Click Enable Remote Access in the Actions pane.
Click Add in the Enable Remote Access window.
Add SF1.Mycitrixtraining.net to the NetScaler Gateway appliances list using the following
data.
Display name: SF1.Mycitrixtraining.net
NetScaler Gateway URL: https://SF1.mycitrixtraining.net
Callback URL: https://SF1.mycitrixtraining.net
Click Next.

Set the STA server for the NetScaler Gateway.

Click Add….
In the STA URL field, type https://site1-cdc1.training.lab and then click OK.
Click Create.
Click OK to save the configuration. Wait for the configuration to be saved.

| 40 |
 3. Open PowerShell in admin mode.
Right-click the PowerShell icon in the taskbar and click Run as Administrator. Click
Yes in the User Access Control message.

First, we need to make a backup of the Web.config file used for the StoreFront Store2.
In PowerShell, type
Copy c:\inetpub\wwwroot\citrix\store2\web.config
c:\inetpub\wwwroot\citrix\store2\web.config.backup
Press Enter.
Type Notepad in PowerShell and then press Enter to launch Notepad.

4.
Important Notification before editing the web.config file:
In multiple server deployments, use only one server at a time to make changes to
the configuration of the server group. Ensure that the Citrix StoreFront
management console is not running on any of the other servers in the
deployment. Once complete, propagate your configuration changes to the server
group so that the other servers in the deployment are updated.

| 41 |
 5. In Notepad, click File > Open, navigate to the
c:\inetpub\wwwroot\citrix\store2\web.config file and click Open.
Note: You may need to switch the Filter field to All Files in order to see files with
extensions other than TXT.
Click Edit > GoTo …, type 270 in the Line field and click Go To. The cursor should be
at the <optimalGatewayForFarmsCollection /> line in the file.

In PowerShell, type Notepad and press Enter to open a second Notepad.

In the second Notepad, click File > Open, in the File name field type
\\AD2\Software\Lab files\Optimal Gateway.txt and press Enter. Click Edit > Select
All, and Edit > Copy.
Return to the Notepad instance containing the web.config file, select
the <optimalGatewayForFarmsCollection /> line and press Ctrl+V to replace the line with
the text you copied from the Optimal Gateway.txt file.
Click File > Save to save the updated web.config file.
Close both instances of Notepad.
To force the web.config file to apply, type IISreset in PowerShell and press Enter.

Notes:

• enabledOnDirectAccess=”true” is the setting that overwrites internal Direct

Access traffic to route through NetScaler Gateway. Customers can use this
setting to force all ICA traffic to go through NetScaler Gateway.

• One of the use cases for this is to route all HDX traffic through NetScaler
Gateway to allow NetScaler HDX Insight to collect NetFlow data on HDX.

• In this lab, Site 2 is using an internal only gateway for lab demo only so we can
identify the connection via IP in netstat. In production, we should use external
| 42 | and internal accessible gateway if you want to force all HDX traffic through
NetScaler Gateway. An example setting can be found in the \\ad2\software\lab
 6. Log on to the Site2-Student2-PC VM using your Remote\User1 and Citrix456
credentials.
Click Start > Citrix Receiver.
Click Microsoft Excel 2010 (running from Site2) to launch it.
Click the + icon in Citrix Receiver. Click Office2007 > Microsoft Office Excel 2007 to
add it to your applications. Click Microsoft Office Excel 2007 (running from Site1) to
launch it.
Click Start and then enter cmd.exe to open a command prompt.
Type netstat –n at the command prompt and press Enter. Verify that the network
connection is going to 192.168.20.12 (ng.remote.lab) and 192.168.10.13
(sf1.mycitrixtraining.net).

Close both versions of Excel.

Exercise Summary
In this lab, we demonstrated the configuration for optimal routing and how optimal routing
overwrites the Remote Access configuration.

| 43 |
 Exercise 4
Configure Failover for StoreFront Sites with user group
site pinning
Overview
In this exercise, we are going to configure two user groups for user site pinning. In each group, we
will configure failover order for redundancy. In this lab, we are also going to leverage the domain
local group to manually failover users from one site to another.

Step by step guidance

Estimated time to complete this lab: 30 minutes.

Step Action
1. Log on to the Site2-CDC2 VM using the remote\CitrixAdmin and Citrix123 credentials.
Right-click the PowerShell icon in the taskbar and select Run as Administrator to open
the PowerShell console in Administrator mode.

Click Yes in the User Account Control message.

| 44 |
 2. Type Notepad in PowerShell and press Enter to launch Notepad with Administrator
rights.

3. Click File > Open and open the c:\inetpub\wwwroot\Citrix\Store2\Web.config file

using Notepad. Note: You might need to change the Filter to All Files in order to see the
Web.config file.

4. Press Ctrl+F and find the resourcesWingConfigurations section in the Web.config file.

| 45 |
 5. In PowerShell, type Notepad and press Enter to open a second Notepad.
In Notepad, click File > Open and type \\AD2\Software\Lab files\Site2 StoreFront
failover Sample.txt in the File name field and press Enter. Click Edit > Select All and
Edit > Copy.
Replace <resourceswingconfigurations> section in the Web.config file with the selected
text file.
Select the following text in the Web.config file in Notepad. Right-click the selected text
and click Paste to replace the text with the text from the Sample file. The original text
should be replaced.

(In this configuration the Group SID is required. We can use the PSGetSID.exe tool
from Microsoft to get the required SID.) The PSGetSID tool is installed on AD2 and
Site2-CDC2 servers. In this lab, the sample configuration file already have the Group
SID entered.
<resourcesWingConfigurations>
<resourcesWingConfiguration name="Default" wingName="Default">
<userFarmMappings>
<clear />
<userFarmMapping name="user_mapping_Site2_Store2_Site1Primary">
<groups>
<group name="Remote\Site1Users" sid="S-1-5-21-3712741401-4088014674-3169384540-
2103" />
</groups>
<equivalentFarmSets>
<equivalentFarmSet name="Site1" loadBalanceMode="Failover"
aggregationGroup="Site1_Site2_Aggregate_Failover">
<primaryFarmRefs>
<farm name="Site1" />
</primaryFarmRefs>
<backupFarmRefs>
<farm name="Site2" />
</backupFarmRefs>
</equivalentFarmSet>
</equivalentFarmSets>
</userFarmMapping>
<userFarmMapping name="user_mapping_Site2_Store2_Site2Primary">
<groups>
<group name="Remote\Site2Users" sid="S-1-5-21-3712741401-4088014674-3169384540-
2102" />
| 46 |
</groups>
 6. Click File > Save in Notepad to save the file web.config file.
Close the Notepad window containing the Site2 StoreFront failover Sample.txt file.

7. Configure the AD domain local group.

Log on to Site2-AD2.remote.lab using the remote.lab\Citrixadmin and Citrix123
credentials.
Open Server Manager > Tools > Active Directory Users and Computers.
Double-click remote.lab > Users. Right-click Site1Primary and click Add to a group….
Click Advanced > Find Now > Site1 Users and click OK. Click OK and then click OK in
the message.

Right-click Site2Primary and click Add to a group…. Click Advanced > Find Now >
Site2Users and click OK. Click OK and then click OK in the message.

| 47 |
 8. Log off of Site2-Student2 PC and log on again using the remote\user1 and Citrix456
credentials. (Due to pass-through authentication, it is recommended if the user is already
logged on from the last exercise log off and then log back on to get a new logon token.)
Click Start > Citrix Receiver. Click Remove in the message that appears stating that
some apps are no longer available. Click + and verify that only the Office 2007
applications (from Site 1) are shown in the application list.
Log off User1 from the Site2-Student2 PC and then log on using the remote\User2 and
Citrix456 credentials.
Click Start > All Programs > Citrix Receiver and verify that only the Office 2010
applications (from Site 2) are shown in the application list.
Log off User2 from Site2-Student2 PC and then log on using the remote\CitrixAdmin
and Citrix123 credentials.
Click Start > Citrix Receiver and verify that no applications are shown in the list. This
is because the CitrixAdmin is not listed in any of the groups defined in the site
configuration. An administrator can use the group site pinning feature to also filter
remote access user assignment to add an additional layer of access control.
*The Delivery Group on Site1 and Site2 are assigned to Remote.lab\Domain Users and
Training.lab\Domain Users but the StoreFront server is filtering the access based on
groups defined in the Web.config for the store.

9. Fail over the user from Site1 to Site2 by adding the user group Site1Primary to
Site2Users and then remove the Site1Primary from the Site1Users group. (This helps
administrators to migrate large numbers of users from one Site to another by just moving
a user group.)
On the Site2-AD2.remote.lab VM, log on using the remote\CitrixAdmin and Citrix123
credentials.
Open Server Manager > Tools > Active Directory Users and Computers.
Double-click remote.lab > Users. Right-click Site1Primary and click Add to a group….
Click Advanced > Find Now > Site2 Users. Click OK and then click OK in the
message.
Right-click Site1Users group and click Properties. Click the Members tab, select
Site1Primary and click Remove. Click Yes and then click OK.

10. Log on to the Site2-Student2-PC VM with the Remote\User1 and Citrix456 credentials
to test whether the server assignment changed to Site2. (Click Start > Citrix Receiver,
you should see Office 2010.)

Exercise Summary
In this exercise, we configured StoreFront user group-based site pinning. Within each site pinning
group, we configured a primary site and a backup site. We also tested the failover of user site

| 48 |
 pinning which can be used by an administrator to move all Site1 users to Site2 without modify the
StoreFront server configuration.

| 49 |
 Exercise 5
Application Filtering in StoreFront
Overview
In this exercise, we are going to enable the Application Filtering feature on StoreFront.

Step by step guidance

Estimated time to complete this lab: 20 minutes.

Step Action
1. Log on to Site2-CDC2 VM using the Remote\citrixadmin and Citrix123 credentials.
Right-click the PowerShell icon in the taskbar and click Run as Administrator. Click
Yes in the User Account Control message.

| 50 |
 2. Load the PowerShell plugins using the following steps.
Type Notepad at the PowerShell prompt and press Enter.
Click File > Open in Notepad, and type \\AD2\software\lab files\Hide Application by
Type.txt in the File name field and click Open.
Select the following text in the file and click Ctrl+C to copy the text to the clipboard.
$dsInstallProp = Get-ItemProperty ‘
-Path HKLM:\SOFTWARE\Citrix\DeliveryServicesManagement -Name InstallDir
$dsInstallDir = $dsInstallProp.InstallDir
& $dsInstallDir\..\Scripts\ImportModules.ps1

Click in PowerShell at the prompt and press Ctrl+V to paste the selected text into
PowerShell. Note: If the text does not paste, right-click the mouse at the command
prompt.
Press Enter to run the command. The PowerShell prompt will appear when the
command has been run successfully.
Select the following text in the file and click Ctrl+C to copy the text to the clipboard.
Set-DSResourceFilterType -SiteId 1 -VirtualPath "/Citrix/Site2VDI" -IncludeTypes
@("Applications")
Click in PowerShell at the prompt and press Ctrl+V to paste the selected text into
PowerShell.
Press Enter to run the command. The PowerShell prompt will appear when the
command has been run successfully.

Notes: “ -SiteId 1” is the IIS site ID that indicates the location of the site in IIS.
-VirtualPath “/Citrix/Site2VDI” is the store that we are configuring for filtering.

Do not close the PowerShell window, we will use it later in Step 4.

| 51 |
 3. Log on to the Site2-Student2-PC VM using the remote\User1 and Citrix456
credentials. Click Start > Citrix Receiver. Click + > All Applications > Hosted
Desktops.
Launch the Hosted Desktop and then log on to Citrix Receiver in the hosted desktop.
(This is to simulate a user using a VDI session with Receiver inside the VDI session.)
Click Hosted Desktops in Citrix Receiver.
Click Read/write access in the message.
Type Citrix Receiver on the Desktop and then press Enter to launch Citrix Receiver.
Log on using the remote\User1 and Citrix456 credentials.
You see only apps, but no desktop.

| 52 |
 4. Return to the Site2-CDC2 VM and enable filter by Keyword using PowerShell and the
following steps.
Type the following command at the prompt.
Set-DSResourceFilterkeyword –SiteId 1 –VirtualPath “/Citrix/Site2VDI” –ExcludeKeywords
@(“HideFromVDI”)
Note: There is a space before the @ sign, but not after the @ sign.
Press Enter to run the command.

This will filter any Keyword. In this case, we are hiding applications with “HideFromVDI”
in the keyword.

| 53 |
 5. Log on to Site1-CDC1 using the training\Citrixadmin and Citrix123 credentials. Note:
The domain name is “training” not “remote” as was used in the past.
Open Citrix Studio. If a User Account Control message appears, click Yes.
Click Citrix Studio > Delivery Groups > Applications tab.
Right-click Inkscape and click Properties in the Actions pane.
Add KEYWORDS:Featured HideFromVDI in the Description and keywords field (with a
“space” after Featured) and then click OK.

Select Microsoft Office OneNote 2007 from the Applications tab in Studio.
Click Properties in the Actions pane.
Add KEYWORDS: mandatory to the Description and keywords field and then click OK.

| 54 |
 6. Log on to Site2-Student2-PC using the Remote\User2 and Citrix456 credentials.
Start Hosted Desktops to open as a VDI session. (Again, we will run Citrix Receiver
inside the VDI session for this application keyword filter example.)
Click Read/write access in the HDX File Access message.
From within the Hosted Desktops VDI, click the down arrow > Citrix Receiver and log
on using the Remote\User2 and Citrix456 credentials. (We did not enable pass-through
authentication on the Site2-XA2 server.)
Verify the application list. (Site1 and Site2 content was merged. There is no Desktop and
no Inkscape app. Microsoft Office OneNote 2007 is displayed on the application page
and cannot be permanently removed. That is, it will come back when you next log on.)

Exercise Summary
In this lab, we enabled the application filtering feature to filter out the applications presented to the
users accessing the internal Site2VDI store used by the VDI session hosted on Site2-XA2 server.

| 55 |
 Exercise 6
Configure Locked down store and user self-service
store activation process
Overview
In this exercise, you will configure a locked down Store which will display all applications users have
access to and lock down the subscription for the user. This is not recommended in the environment
where users have access to hundreds of apps and might be difficult for users to use. However, it
offers a good mandatory application delivery solution without using Keyword options as you did in
Exercise 5.

Step by step guidance

Estimated time to complete this lab: 20 minutes.

Step Action
1. Log on to Site1-CDC1 using the Training\CitrixAdmin and Citrix123 credentials.
Right-click the PowerShell icon in the taskbar and click Run as Administrator. Click
Yes in the User Account Control message.

Type Notepad at the PowerShell prompt and press Enter.

Click File > Open and navigate to the C:\inetpub\wwwroot\Citrix\Store1\web.config
file. Click Open to open the file.
Press Ctrl+F and find StoreLockedDown in the file.
Change to StoreLockedDown=”true”.
Click File > Save to save the web.config file and then close Notepad.

| 56 |
 2. From the Student Desktop, open Internet Explorer or the Google Chrome browser.
Type https://sf1.mycitrixtraining.net in the Address field and press Enter.
Log on using the training\user1 and Citrix123 credentials. (Note that this is user1 in the
Training domain and the password is different from the Remote domain.)
Click the Apps tab. All applications show up in the Receiver for Web.

3. Activate the Citrix Receiver subscription.

In the Citrix Receiver window, click the User One drop-down menu and click Activate….

4. Click Open to download the receiverconfig.cr file. Note: In Google Chrome, click the
down arrow to the right of the receiverconfig.cr file button at the bottom of the Receiver
window to access the Open option.

| 57 |
 5. Click Add in the message.

6. Log on to Citrix Receiver using the training\user1 and Citrix123 credentials.

7. All applications should be displayed in the Receiver window and the user should get an
Updates are available message indicating that the GoToMeeting plugin needs to be
downloaded. If the message does not appear, check the taskbar. The message may be
hidden behind the current window.

Click Update Now and the download will start in the background.

Close both instances of Receiver for Web.

| 58 |
 Exercise Summary
In this exercise, you enabled the Store Locked Down feature to force all applications to be listed for
the user. In addition, you also tested the user self-service store activation process from a non-
domain joined external device.

Exercise 7
Enable HTML5 client for StoreFront
Overview
In this exercise, we will enable HTML5 Client access for StoreFront and set up the required policy in
Citrix Studio.

Step by step guidance

Estimated time to complete this lab: 20 minutes.

Step Action
1. Log on to the Site1-CDC1 VM in XenCenter using the Training\CitrixAdmin and
Citrix123 credentials.
Open Citrix Studio from the taskbar.
Click the Policies node. If the Welcome screen appears, click Close.
Click Create Policy in the Actions pane.

| 59 |
 2. Enable WebSockets to support the HTML5 client. Note: The WebSocket protocol
enables two-way communication between browser-based applications and servers
without opening multiple HTTP connections. Having fewer connections enhances
security and reduces overhead on the XenApp server.
Type websockets in the Search field and press Enter.

Select WebSockets connections and then click Select.

Select Allowed and then click OK.

Click Next.
Click Assign to the right of Delivery Group.

| 60 |
 3. Select XenApp Hosted Desktop from the Delivery Group drop-down menu and click
OK.

Click Next.

4. Click Finish.

| 61 |
 5. Expand the Citrix StoreFront node and click Receiver for Web. Select Store1
Receiver2 and click Deploy Citrix Receiver in the Actions pane.

6. Select Always use Receiver for HTML5 and click OK.

Note: Receiver for HTML5 is a zero install client allowing connection to XenApp and
XenDesktop resources from Chrome and Firefox browsers. This client is useful in
environments where a native client is not installed or cannot be installed.

Notice the HTML 5 client version on the Store1 Receiver2 page.

| 62 |
 7. On the Student Desktop, open the Google Chrome browser.
Type sf1.mycitrixtraining.net in the Address field and press Enter. Log on using the
training\User1 and Citrix123 credentials.
Click Apps and the Inkscape application.
Notice that a new tab opened in the browser.

Exercise Summary
In this lab, we configured the HTML5 Receiver and enabled the required Websockets policy.

| 63 |
 Please complete this survey

We value your feedback! Please take a moment to let us know about your training
experience by completing the brief Learning Lab Survey

Revision Change Descriptions Updated By Date

1.0 Original Version James Hsu May 2014

About Citrix
Citrix Systems, Inc. designs, develops and markets technology solutions that enable information
technology (IT) services. The Enterprise division and the Online Services division constitute its two
segments. Its revenues are derived from sales of Enterprise division products, which include its
Desktop Solutions, Datacenter and Cloud Solutions, Cloud-based Data Solutions and related
technical services and from its Online Services division's Web collaboration, remote access and
support services. It markets and licenses its products directly to enterprise customers, over the
Web, and through systems integrators (Sis) in addition to indirectly through value-added resellers
(VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July
2012, the Company acquired Bytemobile, provider of data and video optimization solutions for
mobile network operators.
http://www.citrix.com

| 64 |