Saturday, September 15, 2018

A Different Approach to a Single FQDN for StoreFront and NetScaler Gateway

The purpose of this post is to show how users can be educated to use a single URL, while still using having a StoreFront base URL that is different from the NetScaler Gateway URL. Please keep in mind this solution works best for Receiver for Web. This solution does work with the Native Receiver, but the Provisioning file would be the easiest way to configure the Native Receiver in my opinion. For this scenario, I will use for external access to the Citrix environment. will be used for internal access to the Citrix environment. Below are overview of the requirements for the scenario to get us started. 1. SAN certificate for and 2. will resolve to the publicly accessible NetScaler Gateway VIPs. 3. will resolve to the internal StoreFront Load Balanced VIPs. 4. CNAME on the internal DNS. –> 5. Responder Policy to redirect from to Now for the magic of creating the single FQDN that users need to know. In this example, the “single URL” for users is On the internal DNS infrastructure, create a CNAME for to point to Then, on the NetScaler appliance, create a Responder Policy that redirects traffic with the HTTP Hosts header of “” to “”. Bind this policy to the StoreFront LB VIP on NetScaler. So what is the expected user behavior? A user on the internal network types into their browser. resolves as a CNAME for The user will resolve After obtaining the IP address for, the user connects to the SF LB VIP using the IP address and the HTTP host header The Responder policy redirects the user to The user’s browser follows the redirect and is able to access the StoreFront LB VIP. By using a SAN certificate with the names we need, the user will not receive a certificate warning.   single_FQDN_with_NetScaler_blog_01_diagram The workflow above is all seamless to the user. From their perspective, they type, and that takes them to the resources they need to focus on their job. Please keep in mind that this workflow is unique to Receiver for Web. Users that manually configure Receiver on the internal network will need to type out “” to connect to the StoreFront VIP and avoid a redirect. Again, I recommend using the provisioning file from StoreFront to configure the Native Receiver. Let me know if you have questions in the comments below! BC

No comments:

Post a Comment