The idea behind optimal NetScaler Gateway routing for a Storefront store is quite simple and useful in some specific scenarios. This architecture allows you to route the user authentication to the loadbalanced StoreFront server, but will have the launch of ICA session pass through the NetScaler so that the connection is secured, because the connection between Receiver and StoreFront is done through HTTPS. The credential handling is secure between the client machine and the StoreFront servers. With the customization done to StoreFront servers, the ICA Ticket then routes the user connection through the Netscaler.
Enabling this architecture in Storefront 3.x is much simpler then in previous versions of Storefront (2.6 and older), when you basically had to do the following by modifying the web.config file located at C:\inetpub\wwwroot\Citrix\Store\web.config, to direct your Storefront servers to route user ICA connections through your NetScaler Gateway.
Modify enabledOnDirectAccess=”true” in the “optimalGatewayForFarmsCollection” key.
<optimalGatewayForFarmsCollection> <optimalGatewayForFarms enabledOnDirectAccess="true"> <farms> <farm name="farmname" /> </farms> <optimalGateway key="_" name="deploymentname" stasUseLoadBalancing="{true | false}" stasBypassDuration="hh:mm:ss" enableSessionReliability="{true | false}" useTwoTickets="{true | false}"> <hostnames> <add hostname="appliancefqdn:port" /> </hostnames> <staUrls> <add staUrl="https://stapath/scripts/ctxsta.dll" /> </staUrls> </optimalGateway> </optimalGatewayForFarms> <optimalGatewayForFarms> ... </optimalGatewayForFarms> </optimalGatewayForFarmsCollection>
So if you are running Storefront 3.x, you just have to use some powershell commands to achieve the same functionality.
Let’s suppose we do have more then one farm configured on our Storefront 3.5, and we decided to route all ICA connections (regardless of which farm the user start an application or a desktop from) through our Netscaler Gateway.
First of all you may need to temporary modify the powershell ExecutionPolicy to determine which Windows PowerShell scripts (if any) will be allowed to run on your primary Storefront server (Be careful here. You need to do this just on one Storefront server and then propagate the Changes to the rest of the Group members). Windows PowerShell has four different execution policies:
AllSigned – Only scripts signed by a trusted publisher can be run.
RemoteSigned – Downloaded scripts must be signed by a trusted publisher before they can be run.
Unrestricted – No restrictions; all Windows PowerShell scripts can be run.
Set-ExecutionPolicy Unrestricted
Now start by importing the Storefront modules by typing the following:
&”C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1″
$STAUrls = “http://ip-to-sta-server-01/scripts/ctxsta.dll“,”http://ip-to-sta-server-02/scripts/ctxsta.dll“
$GatewayName = “Gateway name”
$GatewayHostNames = “FQDN of Gateway name”
$IISSiteID = 1
$VirtualPath = “/Citrix/Store”
[string[]] $FarmNames = @()
$FarmSet = Get-DSFarmSets -IISSiteId $IISSiteID -VirtualPath $VirtualPath
foreach($farm in $FarmSet.Farms) { $FarmNames += $farm.FarmName }
Set-DSOptimalGatewayForFarms -SiteId $IISSiteID -ResourcesVirtualPath $VirtualPath -GatewayName $GatewayName -Hostnames $GatewayHostNames -StaUrls $STAUrls -StasUseLoadBalancing:$false -StasBypassDuration 00.02:00:00 -EnableSessionReliability:$true -UseTwoTickets:$true -EnabledOnDirectAccess:$true -Farms $FarmNames