Citrix StoreFront Deployment
Overview
This skill provides guidance for planning, deploying, and configuring Citrix StoreFront infrastructure, including store configuration, authentication setup, high availability, and security hardening.
Architecture Considerations
Deployment Models
Single Server
-
Suitable for small environments (<500 users)
-
No built-in redundancy
-
Simple management
Server Group
-
2-5 servers recommended for HA
-
Servers must be within 40ms latency
-
Configuration synchronized automatically
-
Load balanced via NetScaler or NLB
Multi-Site
-
Separate server groups per location
-
Optimal aggregation and roaming
-
Global Server Load Balancing (GSLB)
Sizing Guidelines
Users Servers CPU Memory
<500 1 4 vCPU 4 GB
500-2000 2 4 vCPU 8 GB
2000-5000 3 8 vCPU 8 GB
5000+ 4-5 8 vCPU 16 GB
Deployment Instructions
Prerequisites
Server Requirements
-
Windows Server 2016/2019/2022
-
.NET Framework 4.7.2+
-
IIS with required role services
-
Domain joined (recommended)
Network Requirements
-
Static IP address
-
DNS records (A and optionally SRV)
-
Firewall rules for ports 80/443
-
Access to Delivery Controllers
Certificates
-
SSL certificate from trusted CA
-
Include all DNS names (SAN)
-
Proper certificate chain installed
Installation Steps
Install StoreFront
Mount Citrix ISO and run installer
Select StoreFront role
Default installation path: C:\Program Files\Citrix\Receiver StoreFront
Initial Configuration
-
Launch StoreFront Console
-
Create new deployment
-
Specify base URL (HTTPS recommended)
-
Configure store
Add Delivery Controllers
PowerShell configuration
$storeService = Get-STFStoreService -VirtualPath "/Citrix/Store"
Add-STFStoreFarm -StoreService $storeService -FarmName "Production"
-FarmType XenDesktop -Servers @("DDC1.domain.com", "DDC2.domain.com")
-LoadBalance $true -Port 443
-TransportType HTTPS
Store Configuration
Get store service
$store = Get-STFStoreService -VirtualPath "/Citrix/Store"
Configure store settings
Set-STFStoreService -StoreService $store -LockedDown $true
-AllowSessionReconnect $true
Configure subscription store (favorites)
Enable-STFStorePna -StoreService $store ` -AllowUserPasswordChange $true
Authentication Configuration
Get authentication service
$auth = Get-STFAuthenticationService -VirtualPath "/Citrix/StoreAuth"
Enable authentication methods
Enable-STFAuthenticationServiceProtocol -AuthenticationService $auth ` -Name "ExplicitForms"
For pass-through authentication
Enable-STFAuthenticationServiceProtocol -AuthenticationService $auth ` -Name "IntegratedWindows"
Configure two-factor (requires Gateway)
Enable-STFAuthenticationServiceProtocol -AuthenticationService $auth ` -Name "CitrixAGBasic"
Server Group Configuration
On primary server - get cluster configuration
$cluster = Get-STFClusterConfiguration
On secondary server - join group
Start-STFServerGroupJoin -AuthorizerHostName "PRIMARY-SF.domain.com" ` -Confirm:$false
Verify group membership
Get-STFServerGroup
Propagate configuration changes
Publish-STFServerGroupConfiguration -Confirm:$false
High Availability
Load Balancing Options
NetScaler ADC (Recommended)
-
Layer 7 load balancing
-
Health monitoring
-
SSL offloading
-
Session persistence
Windows NLB
-
Built-in Windows feature
-
Layer 4 load balancing
-
Simpler setup
-
Limited health checks
NetScaler Configuration
StoreFront Service Group
add serviceGroup sg_storefront SSL bind serviceGroup sg_storefront SF1.domain.com 443 bind serviceGroup sg_storefront SF2.domain.com 443
Monitor
add lb monitor mon_storefront STOREFRONT -storename "Store" bind serviceGroup sg_storefront -monitorName mon_storefront
Virtual Server
add lb vserver vs_storefront SSL 10.0.0.100 443 bind lb vserver vs_storefront sg_storefront set lb vserver vs_storefront -persistenceType COOKIEINSERT
Security Hardening
SSL/TLS Configuration
Require HTTPS
Set-STFWebReceiverCommunication -WebReceiverService $receiver ` -RequiredLaunchProtocol "HTTPS"
Configure strong ciphers via IIS/Registry
Disable TLS 1.0, 1.1
Enable TLS 1.2, 1.3
IIS Hardening
-
Remove default IIS headers
-
Configure custom error pages
-
Enable request filtering
-
Set appropriate timeouts
-
Enable logging
Access Control
Configure allowed access methods
Set-STFStoreService -StoreService $store ` -LockedDown $true
Restrict to specific user groups
Configure via Delivery Controller
Troubleshooting
Common Issues
Store not accessible
-
Check IIS application pool running
-
Verify DNS resolution
-
Check SSL certificate binding
-
Review firewall rules
Applications not enumerating
-
Verify Delivery Controller connectivity
-
Check farm configuration
-
Review StoreFront event logs
-
Test XML service on controllers
Authentication failures
-
Verify AD connectivity
-
Check time synchronization
-
Review auth service configuration
-
Check event logs for errors
Log Locations
-
Admin logs: C:\Program Files\Citrix\Receiver StoreFront\admin\Trace
-
Store logs: C:\Program Files\Citrix\Receiver StoreFront\services\Trace
-
Event Viewer: Applications > Citrix Delivery Services
Diagnostic Commands
Export configuration
Export-STFConfiguration -Path "C:\Backup\sf-config.zip"
Test farm connectivity
Test-STFStoreFarm -StoreService $store
Check service status
Get-STFDeployment | Format-List *
Reference Materials
For detailed StoreFront information, see:
-
citrix-knowledge/domain-knowledge/comprehensive-citrix-knowledge.md
-
citrix-knowledge/runbooks/ for operational procedures