StoreFront location – in DMZ or Not in DMZ ?

/, XenApp, XenDesktop/StoreFront location – in DMZ or Not in DMZ ?

StoreFront location – in DMZ or Not in DMZ ?

Share this post

This is obvious for all of us working with Citrix technologies that StoreFront (and Web Interface before) is the central place where all company resources like applications and desktops available for any particular user are aggregated and displayed to make access to these resources easy and intuitive. There are many posts with short or long description of installation process – you can find such post also on my blog 🙂 but  it’s no so easy to find the answer to the questions: where in our infrastructure StoreFront server should be located and what are the main criteria to select proper location for this service.

In this article I will focus on the StoreFront infrastructure design where Netscaler Gateway is always used as single, secure point of access for remote users. To make design easier and more accurate I also assume that Netscaler is installed in DMZ, therefore I don not describe the solution where Netscaler is not used or is installed in secure network.

The location in which you deploy the StoreFront depends on a number of factors, including:

  • Security – verify required security level and select the scenario which will be complaint with approved company standards.
  • Authentication – when users log on, either NetScaler Gateway or the StoreFront can authenticate user credentials. The location where you place the StoreFront in your network is a factor that determines, where users will be authenticated.
  • User software – users can connect to the StoreFront with either the NetScaler Gateway Plug-in or Citrix Receiver. You can limit the resources users can access by using Citrix Receiver only, or give users greater network access with the NetScaler Gateway Plug-in. How users connect, and the resources to which you allow users to connect can help determine where you deploy the StoreFront in your network.

The configuration of your network and your security policies determines where you deploy StoreFront to allow remote users to access published resources. Three possible StoreFront deployment scenarios are the following:

1. StoreFront in the Secure Network

In this scenario, the StoreFront resides in the secure, internal network. NetScaler Gateway is installed in the DMZ and authenticates user requests before sending the requests to the StoreFront. The StoreFront does not perform authentication, but interacts with the STA and generates an ICA file to ensure that ICA traffic is routed through NetScaler Gateway to the proper server. For small installations this is the default deployment scenario. The example of this design is shown in the Figure 1.

Figure 1

Figure 1

Important note: When the StoreFront is located in the secure network, authentication should be enabled on NetScaler Gateway, otherwise unauthenticated HTTP requests are sent directly to the server running the StoreFront. Disabling authentication on NetScaler Gateway is recommended only when the StoreFront is in the DMZ and users connect directly to the StoreFront.

2. StoreFront in the DMZ

In this scenario decision where user will be authenticated determines where StoreFront will be located according to location of Netscaler gateway. There are two configurations possible:

2a. StoreFront behind NetScaler Gateway in the DMZ

In this configuration, as shown in figure 2, both NetScaler Gateway and StoreFront are deployed in the DMZ and authentication is configured on NetScaler Gateway. When users log on with Citrix Receiver, the appliance sends the NetScaler Gateway logon page to the user. The user enters authentication credentials on the logon page and the appliance authenticates the user. NetScaler Gateway then returns the user credentials to the StoreFront. NetScaler Gateway acts as a reverse web proxy for the StoreFront to route all HTTPS and ICA traffic through a single external port and require the use of a single SSL certificate.

Figure 2

Figure 2

2b. StoreFront parallel to the NetScaler Gateway in the DMZ

In this configuration, as shown in figure 3, both NetScaler Gateway and the StoreFront are deployed in the DMZ and authentication is disabled on NetScaler Gateway. Users connect directly to the StoreFront by using a web browser or Citrix Receiver. The connection occur as follows:

  • User connections are first sent to the StoreFront for authentication. After authentication, the connections are routed through NetScaler Gateway.
  • After users log on successfully to the StoreFront, they can access published applications or desktops in the server farm.
  • When users start an application or desktop, the StoreFront sends an ICA file containing instructions for routing ICA traffic through NetScaler Gateway as if it were a server running the Secure Gateway.
  • The ICA file delivered by the StoreFront includes a session ticket produced by the Secure Ticket Authority (STA). When Citrix Receiver connects to NetScaler Gateway, the ticket is presented. NetScaler Gateway contacts the STA to validate the session ticket. If the ticket is still valid, the user’s ICA traffic is relayed to the server in the server farm.

 

Figure 3

Figure 3

3. StoreFront in the double-hop DMZ

Double-hop DMZ is used to provide an extra security level and is based on three firewalls to divide the DMZ into two stages.  You can deploy NetScaler Gateway appliances in a double-hop DMZ to control access to servers running Citrix XenApp. The connections in a double-hop deployment occur as follows:

  • Users connect to NetScaler Gateway in the first DMZ by using a web browser and by using Citrix Receiver to select a published application.
  • Citrix Receiver starts on the user device.
  • The user connects to NetScaler Gateway to access the published application running in the server farm in the secure network.
  • NetScaler Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This NetScaler Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.
  • NetScaler Gateway in the second DMZ serves as a NetScaler Gateway proxy device. This NetScaler Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm.
  • Communications between NetScaler Gateway in the first DMZ and the Secure Ticket Authority (STA) in the secure network are also proxied through NetScaler Gateway in the second DMZ.
Known limitations:
If you deploy NetScaler Gateway in a double-hop DMZ with StoreFront, email-based auto-discovery for Receiver does not work.
Worx Home and the NetScaler Gateway Plug-in are not supported in a double-hop DMZ deployment. Only Citrix Receiver is used for user connections.
If you deploy NetScaler Gateway in a second DMZ in two-hop setup you can only use ICA Proxy functionality. End Point Analysis are not available.

The standard double-hop DMZ configuration with Citrix StoreFront installed parallel to the NetScaler Gateway proxy is shown in Figure 4 . Users connect by using Citrix Receiver.

 

Figure 4

Figure 4

 

Important Note: The infrastructure design shown in Figure 4 describes a double-hop configuration using three firewalls with StoreFront installed in the second DMZ. You can also have a double-hop DMZ with one appliance in the DMZ and one appliance in the secure network. If you configure a double-hop configuration with one appliance in the DMZ and one in the secure network, there is no need to open additional ports on the third firewall.

 In the next post I will describe how the communication flow works in double-hop DMZ. Stay tuned for update.

 

By | 2016-12-18T19:21:33+00:00 August 7th, 2014|StoreFront, XenApp, XenDesktop|5 Comments

About the Author:

I’m a Citrix Architect with 17 years experience in Microsoft and Citrix infrastructure. I have been working with Citrix since Metaframe 1.8 and my primary focus is on Server, Desktop and Application virtualisation with a preference for Citrix products. I’m an enthusiast of Citrix XenDesktop and Provisioning Server.

5 Comments

  1. Brad Myers January 30, 2015 at 4:40 am - Reply

    In the past, we had always had all connections flow through our Citrix Secure Gateways (CSG) and Web Interface, both internal and external. Now we are implementing Netscaler Gateways 10.5 with Storefront 2.6 and my question is.. is it possible to have internal users connect directly to XenApp and XenDesktop service over 1494, and external users come in thru the NS over 443? Is this possible? or recommended even? I ask in part due to limitations on WAN optimization via Riverbeds not being effective with SSL traffic and we’d like to take advantage of ICA optimizations.
    Thanks

  2. Ace February 12, 2015 at 1:25 pm - Reply

    In your StoreFront behind NetScaler Gateway in the DMZ.

    whats is the configuration?

    i.e.:-

    a. How will storefront connect to the internal delivery controllers ( 443 on MUST it be connected to the internal domain?)

    b.What ports must be enabled
    443 from external connections
    443 from DMZ storefront server to DNS, AD, CA server,
    443 from DMZ storefront servers to the delivery controllers?

    Thank you

  3. ramesh October 5, 2015 at 9:25 am - Reply

    Hi,

    We need to configure Netscaler Gateway in 2 arm mode, which are the port required for this Configuration. Also, let us know how we need to do this by having 2 Netscaler VPX which are in place.

    Regards

    Ramesh

  4. Manohar June 1, 2017 at 8:43 am - Reply

    Hi,

    End point analysis and Gateway plugin are supported in double-hop scenario.

Leave A Comment

To protect our website from spam. * Time limit is exhausted. Please reload the CAPTCHA.