Whitepaper
Setup Guide IGEL Linux, Citrix Receiver 13 and Citrix
Storefront
Version 1.02
Sponsored by:
Blog: blog.cloud-client.info Website: www.cloud-client.info
This document can be distributed / used free of charge and has no commercial background.
It’s not allowed to use parts of this document in other documentations, articles or any other way without the permission by the author. For questions related to the document contact blog@cloud-client.info
Task
If you setup a new Citrix XenApp / XenDesktop environment you might want to go with Citrix Storefront as
Web frontend. What is important to know, what ways can be used to provide the User a connection to your
XenDesktop / XenApp environment?
Requirements
1)
A working XenApp / XenDesktop environment.
2)
One or more IGEL Thin Clients running firmware 5.04.100 and higher or 4.14.100 and higher.
3)
A working IGEL Universal Management Suite Server running Version 4.07.110 or higher, I will use
the Linux Version of the UMS=No Windows paths are shown in the screenshots but this should be
no issue at all.
4)
A working Citrix Storefront environment.
5)
Certificates configured and enabled to be used in the XenApp/XenDesktop and Storefront
infrastructure.
6)
The used CA certificate as .cer file (
base64 / pem certificate!)
7)
A DNS Host entry “igelrmserver” which points to the IGEL Universal Management Suite Server,
required to make sure that the certificate transfer to the client will work. As alternative you can
also use the DHCP Option 224 (String/Text), see also IGEL Universal Management Suite manual.
Please Note
This Whitepaper is provided for free without any warranty or support from Citrix, IGEL Technology,
BCD-Sintrag AG or cloud-client.info. All configuration tasks are done at your own risk, we are not responsible for
any damage related to the use of this whitepaper.
Do not perform these configurations in a running production environment! User might by disconnected from
session or the infrastructure cannot be available during the configuration steps.
This Whitepaper covers only the basic and most important configuration settings which are required to get it
running. Special configurations, Tweaks and similar are not part of this Whitepaper.
Citrix Receiver 13, what you should know
To get the best results together with Citrix Receiver 13 and Citrix Storefront you must be aware a couple of things.
1) IGEL Firmware’s do now offer support for two Citrix Receiver Version, Version 12 and 13 are available. You can configure this setting in the GUI or in System->Registry->ica.useversion13.
2) Citrix Receiver 13 will not work in a Citrix environment that didn’t use SSL Certificates, you have to use them. There is no option to disable the use of SSL certificates. HTTP connections like used with older Citrix Receivers and the Citrix Webinterface are not possible! No way around, no hidden switch and no tweak.
3) You should use at least IGEL Firmware 5.04.100 and higher or 4.14.100 and higher, older Versions from IGEL coming with the Citrix Receiver 13 without SHA2 certificate support. That’s why I
strongly recommend to have at min. the 5.04.100/4.14.100 version. SHA1 certificates which are very common in Company environments will be end of life if they expire after the 01.01.2016, see also http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx.
4) Some old registry/wfclient receiver settings/tweaks/features will not work anymore with the Citrix Receiver 13, currently known expired settings/features are:
- Serial Port (RS232) mappings will not work.
- WebCam redirection (HDX Realtime) will not work with enabled H264 deep compression codec.
- Only Username/Password authentication can be used with Citrix Receiver 13. - Kerberos is not supported.
- The Deferred update mode setting will not work with Citrix Receiver 13. - The window options for the XenApp/Storefront setup will not work.
5) Some new settings are available to configure/tweak the Citrix Receiver 13, these settings will not work with the Citrix Receiver 12, all settings can be found in System->Registry:
- H264 deep compression codec, requires Multimedia Codec(!) - ica.wfclient.h264enabled (disabled by default)
- ica.wfclient.texttrackingenabled - ica.wfclient.smallframesenabled - JPEG codec registry keys
- ica.wfclient.directdecode
- ica.wfclient.batchdecode (enabled by default)
6) Refer always to the last IGEL Firmware release notes, there might be changes after a new Firmware / Citrix Storefront / Citrix Receiver release is available.
Why do you need to deploy certificates?
Since XenDesktop 7 and Storefront Citrix requires the use of certificates. For the IGEL Linux you have to deploy two certificates, mostly all none Windows OS’s have more than one certificate Store.
First of all a Webbrowser certificate, this one is used to get information’s / access to the Storefront Store, this certificate is used for all Firefox based tasks.
The second certificate is the SSL certificate, this one is used by the Citrix Receiver to secure the connection to the Desktop or Application you want to connect to.
1 Browser Certificate + 1 SSL Certificate = 2 certificates to deploy or 2 times the same certificate needs to be deployed. Remember: Use the base64/pem format!
It could be that you want to use different CA certificates like used in scenarios with an internal CA for internal access and an external CA for access via the Internet (Sample: Internal = mydomain.local and external mydomain.com). Depending on how you want to use the Thin Clients you may have to deploy 2 Certificates for 2 Times, I only want to mention this.
Certificates is always a big task and I focus only on the basics here, let’s start to deploy some certificates to the IGEL.
Deploying the certificates (required for all connection variants)
As already mentioned you “have” to use a SSL certificate together with Citrix Receiver 13 and Storefront, no way around but very often people get struggled already in this important step. So how to do it right? First of all make sure that you have setup the DHCP Option 224 or the Host entry “igelrmserver” in your environment, this is required to announce the IGEL Universal Management Suite Server to the Thin Clients and that they know “where to get the files”. This is mistake No.1 and very often the setup fails already here.
Now make sure to have the CA certificate in the “right” format, it must be a *.cer file in X.509 PEM
Format. If you have a pfx file it will not work, ask your CA Administrators to provide you the right file type and do not try to “just” rename the pfx file: It will not work because the format is still wrong.
If you are using the Citrix Access Gateway you can follow these steps to generate the right certificate file: 1. Open your Citrix Access Gateway website with a Mozilla Firefox Browser.
2. Click on the Lock left of https://… and choose “More Information”. 3. Click on “View Certificate”.
4. Change to the tab “Details”.
5. Highlight your CA certificate in the Certificate Hierarchy field and click the “Export” button 6. Save the certificate as X.509 (PEM) format to your Desktop and give it the file extension .crt 7. Follow the next steps to deploy the certificate via IGEL Universal Management Suite.
After you got the right certificate file open the IGEL Universal Management Suite Console, we will now perform the deployment for the certificate.
Open the UMS Console and expand the files menu on the left side, right click on files and select “New File” to open the file assistant. In my case I will deploy the root certificate for the Route66 CA but it can be also any other CA Certificate depending on the CA used in your environment. Configure it like shown below, please note I use the Linux Version of the UMS so no Windows Paths are shown in my samples.
Click on “OK” and the file will be shown in the UMS GUI. Now repeat this step with the same certificate but configure it like shown below.
The final result should look like this in the UMS GUI->Files configuration:
Now you can assign the files like profiles via Drag & Drop to the Thin Client folder you want to use with this certificate and you are set for the certificate setup.
You need to deploy the certificate two times regarding the fact that the Webbrowser and the Citrix
Receiver are using different certificate stores, mostly Admininistrator’s deploy the certificate only one time and receive certificate errors as result.
Enable Citrix Receiver 13
Create a new Profile to enable the Citrix Receiver 13, I recommend to do this configuration in a separate profile.
Make sure the Profile is optimized for a Firmware 5.03.100 or higher and 4.14.100 or higher, if you take a “lower” Firmware the setting to enable the Citrix Receiver 13 will be not available.
Select “Ok” and now browse to Sessions->Citrix->Citrix Receiver Selection and enable the configuration and set the option to enable Citrix Receiver 13 like shown below.
Click on save and assign the configuration to the Thin Clients where you want to use the Citrix Receiver 13, I recommend to perform a Client reboot now.
How to use Citrix Receiver 13?
You have four ways how you can use the Citrix Receiver 13 now: 1) Using the Webbrowser to access the Storefront Website.
2) Using the XenApp/Storefront configuration in the IGEL Setup configured to use the XenApp/XenDesktop 7.x Store.
3) Using the XenApp/Storefront configuration in the IGEL Setup configured to use the XenApp/XenDesktop 7.x Legacy Mode (this will not work thru Citrix Netscaler!).
4) Using a regular ICA Session (ICA File), this is only “partly” supported by Citrix anymore.
In this Whitepaper we will focus on 1), 2) and 3). Step 4) is tricky and you are required to perform some more configuration. If you want to use 4) please refer to http://blog.cloud-client.info/?p=1155 now. Please Note: Make sure that you all always use a Profile optimized for a Firmware coming with Citrix Receiver 13, otherwise used configurations shown in this Whitepaper will be not available and the setup will not work. In the samples I will not perform “any” special configuration, it’s only the basic setup to get it running. All 4 ways do require a previous deployed CA certificate, refer to Page 5 and 6.
In the screenshots you will also see an assigned “Basic Thin Client setup” profile, this profile has nothing to do with the Citrix Receiver configuration and contains only some basic configurations like “Shadowing”, “Language Setup”, “Storage devices” and so on. I only mention this before you get confused where this profile is coming from.
Way 1: Using the Webbrowser
Using the Webbrowser is a very simple way to use Storefront, just create a new Profile and call it “Storefront Webbrowser access” or similar.
In the profile browse to Sessions->Browser->Browser Sessions and create a new session. In the now created session select “Settings” and configure following settings:
1) When Firefox starts = “Show my home page”
2) Startuppage = Your Store URL like shown in the sample configuration below. Make sure that you enter https://*storefront server as FQDN/Citrix/*yourstore*” otherwise it will not work!
That’s it, close the profile and assign it to the Thin Clients.
You can now open the new created Firefox session on the Thin Client Desktop, after you start the session make sure that no certificate issue is shown in the Webbrowser window. The “Lock” should look like below (marked in red):
If the Lock doesn’t look like shown above the deployed certificates are wrong and you can start to deploy the “right” certificates. A wrong Lock could be also related to a “wrong” FQDN/Webserver Hostname, verify for what Domain the certificate is created and deploy the right “Certificate”, this happens sometimes
Now the user can login with his credentials and start the applications/desktop like required.
This way is quite simple and straight forward but you should be aware that some local thin client configurations will be overwritten by the Storefront Server, it might be required that you perform configurations thru the default.ica file hosted on the Storefront Server.
You can also configure the Webbrowser to work in Kiosk mode / full screen and so on, this variant will also work if you are using the Citrix Netscaler/Access Gateway in your environment.
Way 2) XenApp/Storefront together with the Store
This way now demonstrates how you can use the IGEL together with the XenDesktop/XenApp 7.x Store. In advance you also need to deploy the certificates to the Thin Client and make sure that Citrix Receiver 13 is enabled.
Now create a new Profile and call it “Citrix thru Store” or similar, make sure the Profile is optimized for a Firmware that contains the Citrix Receiver 13.
After the profile is opened browse to Sessions->Citrix->Citrix XenApp/Storefront and configure the Login Page, this means where the logon icon appears to be visible for the user (see red marks below as
Now browse to the Server settings page and setup up your store URL, make also sure here that the FQDN for the server location fit’s to the certificate! If not it will not work, quite simple; do never use the IP here. To be able to configure the Store settings you have also to enable the Citrix Receiver Selection setting in this profile, it’s a limitation coming from IGEL in the Profile configuration. My store settings will look like this:
The final configuration for the server settings should look like my sample below:
Now you can configure the other Options or the appearance settings like required, for example I have a lot of Applications so I don’t want to see all these Application Icons on the Desktop and I disable the settings in the Appearance Tab.
Also I recommend to disable the “Use server settings for all options” setting in the Options tab, I want to configure the ICA Client thru the IGEL Management Tools and not thru the Citrix Storefront Server.
Reason for this is quite simple, Storefront don’t offer all these settings or I’ve to handle the default.ica file at the Storefront Server.
You will now get a Login Icon on the desktop, launch this and the Login Screen comes up.
Login now with your user credentials, depending on how much Applications/Desktop you have available it might take a couple of seconds.
My result in the IGEL Start menu like configured, you can now select an Application or Desktop to start it. It’s quite simple or not?
If you get this view but you get a certificate issue make sure what SSL certificate is deployed to the Thin Client. Mostly an issue here is related to the use of a wrong certificate.
When I now select my Win81HDX3D Session the Desktop comes up and I can start to work, see below. That’s it, we’re done with the Store access; this way will also work thru a Citrix Netscaler/Access Gateway.
Way 3) XenApp/Storefront together with the Legacy Mode
First of all the Legacy Mode will currently not work thru the Citrix Netscaler, this seems to be a Limitation coming with the Netscaler or maybe I am too stupid to get it to work..
To use this mode you have to make sure that the Legacy Mode is enabled in the Storefront configuration. Open the Storefront Management Console and browse to Stores, select the Store where the Legacy Mode should be enabled and verify the configuration like shown below. This configurations site will provide you also the URL which is needed for the Thin Client configuration (marked in red).
Write down the URL now and open the IGEL Universal Management Suite console, create a new Profile with the Name “Citrix thru Legacy Mode” or similar. Make sure that you optimize the Profile for a Firmware which contains the Citrix Receiver 13 and maybe I did not mention it: You have to deploy the required certificates in advance and always work only with the FQDN Names the certificates are assigned to!
In the new profile browse to Sessions->Citrix->Citrix XenApp/StoreFront and configure where the Login Icon should appear.
