XenDesktop 7 Pt 5: Configuring Citrix StoreFront

One of the last steps to configure XenDesktop is to setup Citrix StoreFront. What is StoreFront? StoreFront is basically the web tier in a three tiered architecture (StoreFront, Desktop Controller, SQL database). It’s more than just a pretty face. Citrix Receiver directly talks to StoreFront, even if you never use your browser.

StoreFront 2.0, included in XenDesktop 7, no longer requires a separate database. There is a built-in replication engine that syncs the config between multiple StoreFront servers. That’s great for a DMZ configuration, and just one less database to worry about.

StoreFront is also now a complete replacement for the legacy Web Interface (WI), which is no longer installed and is deprecated in XD7. StoreFront is the only way to interface to your XenDesktop farm. There are various optional StoreFront settings you can tweak, but I’ll skip those here since the goal is just a quick PoC.

XenDesktop 7 Series

Part 1: Role Installation
Part 2: Configure Desktop Studio Site
Part 3: Install VDA
Part 4: Create Machine Catalog
Part 5: Configure StoreFront
Part 6: Create Delivery Group
Part 7: Receiver Configuration
Part 8: Install Server VDA
Part 9: Create Server Machine Catalog
Part 10: Create Application Delivery Group

Citrix StoreFront Configuration

1. First we need to configure IIS to use an SSL certificate. StoreFront is built on IIS, and pre-configuring the SSL certificate saves a step when we create the StoreFront. No special certificate properties are required for StoreFront. You can use any valid server authentication SSL certificate, be it from a Microsoft CA or trusted CA. Add a HTTPS binding to the IIS Default Web Site.

If you are using a load balancer then you should use a certificate with the StoreFront VIP FQDN (e.g. StoreFront.contoso.com).  I suggest rebooting the server after the certificate is assigned so that all of the Citrix services recognize and bind to the certificate (or should).

7-1-2013 8-08-21 PM

2. Now that IIS is secure, go back into Desktop Studio and open the Citrix StoreFront node. For me a store got automatically created, so I deleted it and will show you the manual steps. Click on the Stores node and in the right pane click on Create Store.

7-1-2013 8-14-45 PM

3. When the wizard starts enter a store name. I’m not feeling creative tonight, so I called mine Store.

7-1-2013 8-29-46 PM

4.  Now we need to add the delivery controllers that StoreFront will interface with. Here you can add multiple farms, and a mixture of XenDesktop, XenApp, and other Citrix products. I’ve successful used StoreFront with both XenDesktop 5.6 and 7.0 farms at the same time. If you are load balancing your desktop controllers you can enter the VIP FQDN here. It would be nice if Citrix added a “Test” button here to validate the controllers were valid. That could help with troubleshooting if the store was empty when you tested it.

7-1-2013 8-17-14 PM

5. StoreFront also interfaces very nicely with the NetScaler AccessGateway. So here you can configure how users will be accessing the XenDesktop infrastructure. AccessGateway is out of scope for this series, so I’ll skip that step and finish the wizard.

7-1-2013 8-20-56 PM

6. Once the store is created it will give you the web browser URL that you can use to access it. Now during my PoC install StoreFront didn’t recognize my SSL certificate, even though IIS was using it. Plus, you may need to customize the URL for a loadbalanced FQDN. This is easily accomplished via a powershell command. Citrix: Please put this in the GUI, and warn about SSL issues during the StoreFront creation.

Also take note that to access StoreFront from a web browser you must append “Web” to the store URL, as the URL shows below. Don’t try going to /Citrix/Store as that won’t work.

7-1-2013 8-22-11 PM

7. To change the StoreFront base URL you can go to the Server Group node and in the right pane select Change Base URL. Here I changed the URL to use HTTPS. If you are using a load balancer for StoreFront you could change the FQDN to the VIP.

7-2-2013 6-17-30 AM

8. Back in the StoreFront console, after refreshing, you can see that the service is using HTTPS.

7-1-2013 8-46-17 PM

9. One quick tweak to make authentication easier is to set a default domain. This way the user doesn’t have to enter a domain when authenticating to the StoreFront web site. Locate the Authentication node, then in the right pane click on Configure Trusted Domains.

7-1-2013 9-24-12 PM

And that’s pretty much it to get an operational StoreFront. If you open your browser and go to the full web store URL you should get a green bubbly Citrix receiver page.

7-1-2013 9-26-56 PM

In Part 6 we configure a delivery group, which defines what users can access our VDI resources.

XenDesktop 7 Pt 2: Configure Citrix Studio Site

In Part one of my Citrix XenDesktop 7 installation guide we installed all of the XenDesktop 7 components on a single Windows Server 2012 VM. In this second edition we will setup the Citrix Studio site, which connects the XenDesktop 7 Studio to a database, vCenter, storage, and virtual networks.

XenDesktop 7 Series

Part 1: Role Installation
Part 2: Configure Desktop Studio Site
Part 3: Install VDA
Part 4: Create Machine Catalog
Part 5: Configure StoreFront
Part 6: Create Delivery Group
Part 7: Receiver Configuration
Part 8: Install Server VDA
Part 9: Create Server Machine Catalog
Part 10: Create Application Delivery Group

Configure Citrix Studio Site

1. Launch Desktop Studio and you will see this nice welcome screen. Click on Get Started.

XenDesktop 7 Studio

2. We want to configure a full site, so I enter a site name. Queenstown is one of my favorite cities in New Zealand, so let’s use that.

6-30-2013 5-45-50 PM

3. Next up is configuring a database. The information for SQL express was pre-populated, so I didn’t have to type in anything. You can also test the database connection, which is a great feature. If you don’t have SQL permissions, then it can generate a script to give to your DBA to run.

6-30-2013 5-48-40 PM

4. Licensing is always fun, NOT! Citrix has included a 30-day trial, so you don’t have to futz with the Citrix licensing portal. It also verifies a licensing server connection, and verified a trusted SSL connection. What’s new in XD7 is the ability to allocate licenses from this wizard instead of navigating through the Citrix licensing portal maze. Great time saving feature and extremely welcomed.

6-30-2013 5-52-44 PM

5. Next up is configuring the connection to vCenter. Desktop Studio is picky, as it should be, about the SSL certificate used on the vCenter server. If Desktop Studio has problems contacting the hypervisor, unlike previous versions that were quite unhelpful, you now get this godsend of an error message which takes you directly to the relevant CTX article. You can also view the exact error, which is also entirely understandable:

Exception:
Citrix.Console.Models.Exceptions.ScriptException Cannot connect to the VCenter server due to a certificate error. Make sure that the appropriate certificates are installed on the VCenter server, and install the appropriate certificates on the same machine that contains all instances of the Host service.

6-30-2013 6-01-30 PM

Since I just built up my vCenter server yesterday, I haven’t gone through the process of configuring it for trusted certs. It’s a bit complicated and I still have to follow my own blog to do it properly. So there’s a nice Citrix CTX article on how to trust the self-signed vCenter certificate. Certainly should never do this for production but in my PoC I want to take the easy route. The solution in the article is to download the vCenter self-signed cert and place it in the computer’s Trusted People certificate store. Quick and easy!

5. Next up you need to set a resource name, choose a cluster, and pick the portgroups that the VDI VMs will use.

6-30-2013 6-07-29 PM

6. Configuring storage is easy. Pick the datastores where the provisioned VMs should go. Desktop Studio does NOT support vSphere datastore clusters, which is a huge bummer.

6-30-2013 6-09-03 PM

7. I’m not doing App-V, so I skipped that configuration screen. A nice summary is shown at the end of the wizard.

6-30-2013 6-09-52 PM

8. A few minutes later I get this nice site configuration screen. New to XD7 is the Test Site feature, which runs through 177 tests to ensure everything is properly setup. Very nice touch.

6-30-2013 6-16-28 PM

6-30-2013 6-19-29 PM

At this point my Desktop site is up and it’s in a healthy state, just by clicking next through the entire install (minus trusting the vCenter certificate). Next up is installing the VDA on a Windows 7 x64 client, in preparation for creating a machine catalog. You can check out Part 3 here.

XenDesktop 7 Pt 1: Role Installation

6-30-2013 5-06-28 PMIn case you missed the announcement or my blog post last week, Citrix XenDesktop 7 finally hit the streets. It is a very major release of the product, merging XenDesktop and XenApp into a single management system. Gone are the days of a dozen or more different consoles to manage everything. XenApp has now taken on the XenDesktop model of provisioning and management. It now fully supports Windows 8, Windows Server 2012 and SQL 2012.

I wanted to walk through a PoC setup of XenDesktop 7, so you get a feel of the major changes in this release and the new streamlined installation and configuration process. Prior versions of XenDesktop were not terrible to install, but had different installers for different pieces (such as StoreFront) and didn’t have a unified feel. For the most part, that is now history.

For this PoC I’ll install all of the components on a single Windows Server 2012 with a SQL 2012 express database. In a production environment you’d want redundant Desktop Controllers (brokers) and StoreFront servers (web interfaces), with a clustered database. Both roles can easily be load balanced by a Citrix NetScaler, for high availability. The Citrix NetScaler can also be configured for secure remote access via an ICA/HDX proxy, or full SSL VPN.

XenDesktop 7 Series

Part 1: Role Installation
Part 2: Configure Desktop Studio Site
Part 3: Install VDA
Part 4: Create Machine Catalog
Part 5: Configure StoreFront
Part 6: Create Delivery Group
Part 7: Receiver Configuration
Part 8: Install Server VDA
Part 9: Create Server Machine Catalog
Part 10: Create Application Delivery Group

XenDesktop 7 Role Installation

The XenDesktop 7 download is a single ISO, with the optional Provisioning services which is a separate ISO. I’m opting to use MCS (Machine Creation Services) with my vSphere 5.1 hosts, so I don’t need the provisioning services ISO. I prepared a Windows Server 2012 VM and mounted the XenDesktop 7 ISO.

1. Launch the installer and you will see a unified installer. Since this will be a simple all-in-one server, I clicked in the leftmost box. If you are doing a distributed production install you can use the boxes on the right to install individual components as needed.

XenDesktop 7

2. Next up I was presented a list of all the roles which I could chose from. Again, I wanted all roles since everything will be on one server.

6-30-2013 5-01-14 PM

3. Since I didn’t want to use an external database (SQL Server 2012 with AlwaysOn is a supported configuration) I opted for the built-in SQL Express.

6-30-2013 5-01-26 PM

4. Next up the wizard showed me a nice list of ports that each role needs to communicate over. I’m using the Windows firewall, so I let it automatically configure all of the required rules.

6-30-2013 5-01-37 PM

5. That’s it! A nice summary page is shown and then I kicked off the installer. It estimated the installation to take 26 minutes. That was quite wrong, and in fact only took 13 minutes on my home QNAP!

6-30-2013 5-01-46 PM

6-30-2013 5-22-11 PM

At this point you are now ready to launch the Desktop Studio MMC and start doing the configuration. You will also need to configure StoreFront, and a little SSL work. Stay tuned for Part 2, where we start the basic configuration tasks to bring XenDesktop 7 to life.

Import IIS SSL Certificate to Citrix NetScaler

5-18-2013 10-03-29 PMFor a recent project I’ve been configuring a Citrix NetScaler (which are wickedly cool) for load balancing of a web service over SSL. The web service is hosted on a Windows server using IIS, so I wanted to re-use the SSL certificate on the NetScaler. The steps to import IIS SSL certificate to NetScaler are actually fairly easy. I found various blog articles and Citrix KB articles on the process, but they were a bit convoluted and I thought there had to an easier process than using OpenSSL and WinSCP/NotePad to manipulate the certificate files.

The first thing you need to do is look in the server’s computer certificate personal store for your IIS certificate. In my case I’m looking for the StoreFront.contoso.net certificate. Since I knew I’d be exporting the whole certificate (including the private key), I made sure when I was requesting the certificate to allow the private key to be exported. You can request certificates from your MS CA a variety of ways, so I’ll assume you can find the option to allow private key export.

5-18-2013 8-52-39 PM

Exporting the Certificate

1. Right click on the certificate select All Tasks then select Export. You should be presented with the option to export the private key. If not, then your certificate’s private key is “stuck” in the computer’s store and you can’t get it out. Issue a new certificate with the private key export option.

5-18-2013 8-58-01 PM

2. Assuming you can export the private key you are now given some options for the PKCS#12 certificate file. You shouldn’t need to select any of the options.

5-18-2013 8-59-29 PM

3. Select a strong password to protect the file with. Remember it.

4. Chose an appropriate filename for the certificate. I strongly suggest using the FQDN of the certificate, because the NetScaler will store the files with the name you choose. So don’t do something like “cert.pfx” since you will have no clue what site it is for. In my case I chose StoreFront.contoso.net.pfx.

5. Run through the same export wizard again, but this time select No, do not export the private key.

5-18-2013 9-04-19 PM

6. Select Base-64 encoding for your certificate.

5-18-2013 9-05-03 PM

7. Again, I suggest using the FQDN of the certificate for the filename (e.g. StoreFront.contoso.net.cer). Make sure the file ends in “.cer”.

8. At this point you should have two certificate files, both with the FQDN, and one ending in .PFX and the other in .cer.

5-18-2013 9-06-50 PM

Importing Certificates into NetScaler

1. Logon to your Citrix NetScaler and open the root SSL page. Under Tools click Import PKCS#12.

import iis ssl netscaler

2. In the import window click on Browse next to the PKCS12 filename (NOT the output file name). Browse to your pfx file. Type in the password you entered during the certificate export process. Enter a new password to protect the private key on the Netscaler (PEM passphrase). In the Output File Name use the FQDN of the certificate and add a .key suffix. Change the encoding format to DES3. The NetScaler will automatically extract the private key from the PFX file and put it into the .key file.

5-18-2013 9-12-17 PM

3. Click on Manage Certificates / Keys / CSRs. Upload your .cer file. You should now see three certificate files with your certificate’s FQDN.

5-18-2013 9-17-12 PM

4. At this point you can delete the .pfx file if you wish, since we no longer need it. I suggest you do remove it, to reduce clutter on your NetScaler.

5. In the left pane under SSL click on Certificates then in the middle pane click on Install.

5-18-2013 9-18-41 PM

6. Enter the FQDN of your certificate in the Certificate-Key Pair Name. For the Certificate FIle Name select the .cer file you uploaded. For the Private Key File Name select your .key file. Enter the password you entered back in step 2.

5-18-2013 9-20-59 PM

7. If all goes well you will now have a new certificate from IIS installed on your NetScaler with no command line effort or manual modification of certificate files.

import iis ssl to netscaler