Citrix StoreFront and Citrix Gateway GSLB Considerations
It has been a while since I last talked about StoreFront and Citrix Gateway integration (2014, eek!) and the focus at that time was looking at Web Interface Gateway integration and addressing how things were changing with StoreFront — things like the fact that you could bind multiple Gateway definitions to a single Store and how Gateway authentication and ICA Proxy were now tied together. Now that most of the customers I interact with are off of Web Interface, I thought it was time to revisit some of the more advanced Gateway integration settings with StoreFront, irrespective of Web Interface, since (shockingly) some things have changed since 2014!
Rules of the Road
We will start with some cardinal rules you should know about how StoreFront identifies Citrix Gateway-sourced traffic. First, StoreFront identifies Citrix Gateway traffic based on the Gateway URL. The URL users are accessing is passed back to StoreFront from Citrix Gateway via the XCitrixVia HTTP header. So, a user authenticates at Citrix Gateway, the Gateway inserts the URL hostname into the XCitrixVia HTTP header and passes the information back to StoreFront along with an attempt to SSO using the “AGBasic” authentication method. StoreFront will only accept authentication traffic from URLs it knows about. That means the “NetScaler Gateway URL” field in the StoreFront configuration pictured below is critical and should match the URL users are using.
If you try to authenticate from a Gateway address not listed in StoreFront, users will be prompted for credentials at StoreFront again (Gateway passthrough will fail) and you will see the below warning in the Citrix Delivery Services event log from the Citrix Authentication Service stating that it could not match a Gateway in its list against the request (note the XCitrixVia header contents with the Gateway address used is listed in the event details, also the XCitrixViaVIP header, which we will talk about next):
Read the entire article here, StoreFront and Citrix Gateway GSLB Considerations
Via the fine folks at Citrix Systems, Inc.