Installing Citrix StoreFront 3 Using NetScaler Load-Balancing & HTTPS


It has been a while since I last made a post – exams, personal life and The Witcher 3 all got in the way. But now its time to change that and post a long-overdue update!

Today I’ve decided to provide a detailed walkthrough from start to finish on the new Citrix StoreFront 3.0 release. StoreFront 3.0 sees some significant changes to the end user experience compared to StoreFront 2.6 and is well worth your time investigating the new unified GUI for both Citrix Receiver for Web and Citrix Receiver client. Native Google Chrome support without NPAPI provides another big reason to upgrade to the latest version. To take advantage of these features your users need to upgrade to the new Receiver for Windows 4.3 and Receiver for Mac 12.0 clients.

I would strongly recommend everyone to read this Citrix blog post on StoreFront 3.0.


Commission two StoreFront 3.0 servers in a server group, using NetScaler for monitoring and load-balancing. Provide secure StoreFront access using HTTPS with SSL certificates.

What You Will Need

  • Static IP address for your StoreFront 3.0 servers
  • Free routable IP address for your NetScaler load-balanced (aka LB) virtual IP (aka VIP)
  • For secure HTTPS communications a trusted Certificate Authority (aka CA) to issue an SSL certificate.

My Test Environment

I’ve created a fresh install of all components for this walkthrough to try and keep everything simple.

  • One Active Directory Domain Controller with Certificate Services
  • One XenDesktop 7.6 Delivery Controller
  • Two StoreFront 3.0 servers
  • One NetScaler 10.5 Build 57.7 in 1-arm mode

All Windows Servers run Windows Server 2012 R2 and are joined to my test domain ‘lukedavis.local’.

StoreFront Servers

  • StoreFront server 1 name: SF01
  • StoreFront server 1 IP:
  • StoreFront server 2 name: SF02
  • StoreFront server 2 IP:

NetScaler Server

  • NSIP:
  • SNIP:
  • LB VIP for StoreFront 3.0:

Other Bits Needed

What’s Not Covered

External remote access via a NetScaler Gateway. The built-in wizards made available in the more recent builds of NetScalers do a great job of creating basic remote access for your users. In addition, the new Universal Gateway with NetScaler 11 requires separate investigation!

1.     Create the DNS Record

This DNS record is used to point internal users to the load-balanced StoreFront IP address we will create that allows StoreFront access. Using the NetScaler for load-balancing provides advanced monitoring and load-balancing methods between the StoreFront servers. Once created, this DNS record URL will be used as the ‘base’ URL within StoreFront 3.0.

  1. On your DNS server, create a new A Record. Enter your chosen name for the record and point it to your StoreFront LB VIP that will be used for NetScaler load-balancing.

StoreFront 3.0 DNS Record

2.     Installing StoreFront 3.0

The installation of StoreFront 3.0 is very simple. You can download the StoreFront 3.0 installer from here – a Citrix login is required.

  1. On your first dedicated StoreFront server run the downloaded setup wizard. Read and accept the license agreement. Click Next. StoreFront 3.0 LA
  2. StoreFront 3.0 is based on Microsoft’s IIS. This window notifies this role will be deployed. Click Next. StoreFront 3.0 Pre-Reqs
  3. Review the components then click Install. StoreFront 3.0 Ready to Install
  4. After a completed install, click Finish. Repeat the previous steps on your second StoreFront server.StoreFront 3.0 InstallingStoreFront 3.0 Install Complete

After clicking Finish the StoreFront 3.0 administration console will auto-launch. Close it for now as we ought to configure other elements of the setup first before we dive into there.

3.     Configuring HTTPS Access

There are three main components to configuring secure connections to StoreFront 3.0 – installing the relevant SSL certificate on the server itself, configuring IIS to use this SSL for HTTPS connections, and defining StoreFront 3.0 to use HTTPS.

Seeing StoreFront 3.0 has installed IIS already for us during its installation setup, I will be using this management console to create a certificate request for my CA to issue a valid internal SSL certificate for our chosen DNS record name storefront.lukedavis.local.

Creating the Certificate Request

  1. On the first StoreFront server open the Internet Information Services (IIS) Manager and open Server Certificates. StoreFront 3.0 IIS stage 1
  2. Click Create Certificate Request StoreFront 3.0 IIS stage 2
  3. Enter in your certificate information. Note Common name will be the StoreFront load-balancing address – so for me this will be ‘storefront.lukecjdavis.local’. Click Next. StoreFront 3.0 IIS stage 3
  4. Ensure Microsoft RSA SChannel Cryptographic Provider is selected. Select the 2048 bit length. Click Next. StoreFront 3.0 IIS stage 4
  5. Your certificate request is saved as a text file. Define a location where to save this file and click Finish. StoreFront 3.0 IIS stage 5

Requesting The Certificate from the Certificate Authority

Now we have our request file, we need to submit this to the domain’s CA so it can generate our SSL certificate for us to install on the StoreFront 3.0 servers.

  1. Open a web browser and browse to your domain CA. For Microsoft Active Directory Certificate Services the URL is http://<your CA server>/certsrv. Click on Request a certificate. StoreFront 3.0 IIS stage 6
  2. Select advanced certificate request. StoreFront 3.0 IIS stage 7
  3. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. StoreFront 3.0 IIS stage 8
  4. Open your certificate request file created in the previous step and copy the contents into the Saved Request field. Select under Certificate Template Web Server and press Submit. StoreFront 3.0 IIS stage 9
  5. We can now download our certificate! Select Base 64 encoded and click Download certificate. Save it somewhere safe. StoreFront 3.0 IIS stage 10
  6. Go back to Internet Information Services (IIS) Manager, click Complete Certificate Request under Server Certificates. Browse to the certificate file, enter a Friendly name and ensure the certificate store selected is Personal. Click OK. StoreFront 3.0 IIS stage 11StoreFront 3.0 IIS stage 12
  7. Browse on the left to Default Web Site. On the right Actions column click Bindings. StoreFront 3.0 IIS stage 13
  8. Click Add. StoreFront 3.0 IIS stage 14
  9. Change the Type to HTTPS. Our imported SSL certificate should be selectable under SSL certificate – ensure is it selected. Click OK. StoreFront 3.0 IIS stage 15

That’s one server done! Now we need to do the same for the second StoreFront 3.0 server. Rather than create a new certificate request, we can export the existing certificate as a .PFX file and import that into the second StoreFront 3.0 server, saving some time.

  1. On the first StoreFront server open the Internet Information Services (IIS) Manager and open Server Certificates. Right click the server certificate already present and click Export. StoreFront 3.0 IIS stage 16
  2. Enter a path to export the .pfx file to, and enter a Password and Confirm password. Click OK. StoreFront 3.0 IIS stage 17
  3. On the second StoreFront 3.0 server open the Internet Information Services (IIS) Manager and open Server Certificates. On the right under Actions select Import… StoreFront 3.0 IIS stage 18
  4. Under Certificate file (.pfx) browse to the exported certificate. Enter the Password previously entered and ensure the Certificate Store is Personal. Click OK. StoreFront 3.0 IIS stage 19
  5. Browse on the left to Default Web Site. On the right Actions column click Bindings. StoreFront 3.0 IIS stage 20
  6. Click Add. StoreFront 3.0 IIS stage 14
  7. Change the Type to HTTPS. Our imported SSL certificate should be selectable under SSL certificate – ensure is it selected. Click OK. StoreFront 3.0 IIS stage 15

Now both StoreFront 3.0 servers have the same certificate installed and is bound to HTTPS connections. We finally need to do the same for the NetScaler. Since the NetScaler is not domain bound, we also need to import in the Root CA certificate too to verify our server certificate is valid.

  1. Open a web browser and browse to your domain CA. For Microsoft Active Directory Certificate Services the URL is http://<your CA server>/certsrv. Click on Download a CA certificate, certificate chain, or CRL. StoreFront 3.0 IIS stage 6
  2. Select the CA certificate required, then select Base 64 and click Download CA certificate. Save the certificate somewhere safe.NetScaler CA 1
  3. On the NetScaler under the Configuration tab, browse to Traffic Management -> SSL -> Certificates. Click Install. NetScaler CA 2
  4. Enter a Certificate Name, then select Browse -> Local and select your root certificate you’ve just downloaded. Click Install. NetScaler CA 3
  5. Now for the server certificate. Seeing we have already created a PFX certificate, we can use that certifcate type and import it into the NetScaler. NetScalers have a built-in function that allows us to convert the certificate to a format it supports. Browse to Traffic Management -> SSL and select Import PKCS#12.NetScaler CA 5
  6. For the Output File Name enter a relevant name with the .pem extension. Browse to the exported .pfx file used earlier, and enter the relevant password as well. Click OK.NetScaler CA 7
  7. Browse to Traffic Management -> SSL -> Certificates. Click Install.
  8. Entere a relevant Pair Name. Select the .pem file created in Step 6 for both the Certificate File Name and the Key File Name. Select the certificate format as PEM, enter the relevant password and click Install.NetScaler CA 8

4.     Creating The StoreFront 3.0 Site

Now that we have an SSL certificate installed on our StoreFront 3.0 servers, we can configure StoreFront to use HTTPS.

  1. On the first StoreFront 3.0 server open the Citrix StoreFront console. Click Create a new deployment. StoreFront 3.0 New Deployment
  2. Ensure the Base URL uses HTTPS and the URL is the same as the common name specified when generating your SSL certificate earlier. Click Next. Note this step can take while to progress to the next window.StoreFront 3.0 New Deployment 2
  3. Enter a Store name. Click Next. StoreFront 3.0 New Deployment 3
  4. Click Add to include your XenDesktop delivery controller setup. Afterwards click Next.StoreFront 3.0 New Deployment 4StoreFront 3.0 New Deployment 5
  5. In this walkthrough we are not enabling remote access, so leave the Remote access to None. Click Create.StoreFront 3.0 New Deployment 6
  6. Review then click Finish. StoreFront 3.0 New Deployment 7

5.     Add The Second StoreFront 3.0 Server

With one server configured, we can now add the second StoreFront 3.0 server to the server group so they have the same configurations. Note that although we are adding this server now, you will still need to manually propagate any new changes between the two servers. The servers do not auto-synchronise unfortunately.

  1. On the first StoreFront 3.0 server in the Citrix StoreFront console, under Server Group click Add Server. StoreFront 3.0 Add Additional Server 1
  2. An Authorization code will be displayed. Note this number down, along with your Authorizing server. StoreFront 3.0 Add Additional Server 2
  3. On the second StoreFront 3.0 server, open the Citrix Storefront console and click Join existing server group.StoreFront 3.0 Add Additional Server 3
  4. Enter in the appropriate values from the previous step and click Join. StoreFront 3.0 Add Additional Server 4
  5. The servers will start pairing up and form a Server Group. StoreFront 3.0 Add Additional Server 5StoreFront 3.0 Add Additional Server 6StoreFront 3.0 Add Additional Server 7

6.     NetScaler Monitoring

StoreFront 3.0 comes with NetScaler monitoring enabled by default – a great addition. However it ships with HTTP monitoring configured – we need to change this to HTTPS.

  • On the first StoreFront server, run PowerShell with Administrative rights (if you don’t do this you get errors later on!). Run the following code:
  • $dsInstallProp = Get-ItemProperty -Path HKLM:\SOFTWARE\Citrix\DeliveryServicesManagement -Name InstallDir $dsInstallDir = $dsInstallProp.InstallDir & $dsInstallDir\..\Scripts\ImportModules.ps1SF3 PS Script 1

  • From the same prompt, run the following code to change the value to HTTPS. Keep the server URL as localhost.
  • Set-DSServiceMonitorFeature -ServiceUrl https://localhost:443/StorefrontMonitor SF Monitor HTTP to HTTPS

  • Once completed, run the same set of commands on the second StoreFront 3.0 server.

7.     NetScaler Load-Balancing

Now all that’s left for this basic setup is to configure the NetScaler for load-balancing the StoreFront services.This will involve the following actions:

  • Adding the two StoreFront 3.0 servers
  • Adding a monitor for these servers
  • Creating a service group for the StoreFront servers
  • Creating a load-balanced vServer
  • Adding the SSL certificate to the NetScaler and binding it to the vServer

After logging into the NetScaler GUI, on the Configuration tab browse to Traffic Management -> Load Balancing -> Servers. Click Add. NetScaler LB 1

  1. Enter the Server Name and the IP Address of the first StoreFront 3.0 server. Click Create. NetScaler LB 2
  2. Repeat step 2, but this time for your second StoreFront server. NetScaler LB 3
  3. Now for the Monitor. Go to Traffic Management -> Load Balancing -> Monitors. Click Add. NetScaler LB 4
  4. Enter a name for your monitor. Select STOREFRONT as the Type. Towards the bottom of the page select Secure (required since our StoreFront 3.0 server is using HTTPS!). NetScaler LB 5 NetScaler LB 6
  5. Click the Special Parameters tab. Enter the StoreFront 3.0 Store Name configured earlier, and select Check Backend Services. Click Create. NetScaler LB 7Why enable Check Backend Services? For StoreFront 2.6 or earlier, you have to install a separately add-on package on the StoreFront server to support NetScaler monitoring. This is now integrated in StoreFront 3.0. It is installed and enabled by default, and earlier on we changed it to use HTTPS.
  6. Now to add the Service Group. Browse to Traffic Management -> Load Balancing -> Service Groups. Click Add. NetScaler LB 8
  7. Enter an appropriate Name for your service group, and make sure the protocol is set to SSL. Click OK. NetScaler LB 9
  8. On the right select Settings, then enable Client IP and enter the value X-Forwarded-For. Click OK. NetScaler LB 10
  9. On the right select Members, the click the arrow to add the new members. NetScaler LB 11
  10. Click Add. Then press the Server Based radio button, select both StoreFront 3.0 servers that you already created and click OK. Enter the port number as 443 then click Create. NetScaler LB 12NetScaler LB 13
  11. On the right click Monitors. Click the arrow so we can add our monitor. NetScaler LB 14
  12. Under Select Monitor, click the arrow, then select the monitor we created earlier, click OK. Then Click BindNetScaler LB 15NetScaler LB 16
  13. Click Done. That’s our service group completed. If everything is okay, the Effective State should show a green light, indicating it is UP. NetScaler LB 17
  14. Go to Traffic Management -> Load Balancing -> Virtual Servers and click Add. NetScaler LB 18
  15. Enter a Name, select the Protocol as SSL, and enter your pre-assigned IP Address for the StoreFront 3.0 load-balancing. Click OK.NetScaler LB 19
  16. Click on Load Balancing Virtual Server ServiceGroup Binding, click the arrow then add the Service Group created previously. Click OK. Click OK again. NetScaler LB 21 NetScaler LB 22
  17.  We now need to assign the SSL certificates already installed earlier onto the NetScaler. The Certificates section should already be present to select from. Select No Server Certificate. NetScaler LB 23
  18. Select the storefront server certificate installed earlier then click Bind.
  19. Now select No CA Certificate.
  20. Select the CA certificate installed earlier and click Bind. NetScaler LB 24
  21. After clicking OK you now get more options available to further configure the vServer. On the right select Persistence. Change the Persistence to SOURCEIP and the time-out to 20. Click Save. NetScaler LB 25
  22. Click Done.

That should be everything! Browse to your StoreFront url (in my case: https://storefront.lukecjdavis.local/Citrix/LDStore) and you should get the Citrix Receiver login window without any certificate errors. Login and ensure your you can access a published resource. Congratulations on configuring StoreFront 3.0!

StoreFront 3 Login Page

StoreFront 3 FINAL


About Author

A Citrix & Microsoft Solution Architect based in the UK. Citrix qualifications include CCE-V, CCP-N and CCP-M certifications. Also holds an MCSE in Windows Server 2016 and an MCSA in Office 365. Likes golf and cats.


  1. Hello,
    I have an issue with your explications, the storefront monitor not working, the lbgroup stay down, have you got an idea about this problem ?


      • thank for your answer, all it’s ok when I don’t check “Check Backend Services” in the creation of the monitor, i ‘m looking for an idea in the goal to find why it does this problem when i check this button.

  2. Under step 6 you have a powershell snippet, adding semi-colons like so:

    $dsInstallProp = Get-ItemProperty -Path HKLM:\SOFTWARE\Citrix\DeliveryServicesManagement -Name InstallDir ; $dsInstallDir = $dsInstallProp.InstallDir; & $dsInstallDir\..\Scripts\ImportModules.ps1

    makes it a literal copy/paste one-liner. Yes, I may be nitpicking, but it threw me off for a moment, and I thought I’d share.

  3. Is it possible to integrate the storefront LB URL to configure the access gateway on the same netscaler.

    I have configured the storefront LB for four servers and i need to integrate with Netscaler Access Gateway for external users.

Leave a Reply...