When logging into a StoreFront site and using HTTP, the user credentials are passed across the network in plain text. This can be a security risk since a malicious actor can obtain the user’s credentials. StoreFront traffic can be secured with HTTPS using an SSL certificate. The base URL can also automatically redirect the user to an HTTPS login page. This blog outlines how to help keep your credentials safe.
Redirecting to HTTPS with a single server
In this scenario, securing the StoreFront site is accomplished by using an SSL Certificate. In order to do this, you need to:
- Install and bind an SSL certificate to IIS.
- Change the StoreFront Base URL in the Server Group node of the StoreFront management console. For example: https://server.domain.com/
Now, when users just browse to server.domain.com (HTTP by default) they will automatically get redirected to the secure site using HTTPS.
Redirecting to HTTPS when using multiple servers for load balancing
Securing a load balanced StoreFront site when you have multiple servers improves fault tolerance of the site, distributes load, and allows patching StoreFront servers without an outage. There are several options to load balance. Using a load balancer like Citrix NetScaler is preferred but you can use other 3rd-party load balancers as well. Microsoft Network Load balancing and DNS round robin can also be alternatives depending on your environment. In any case, you will need an SSL certificate with the common name of the site. If those same StoreFront servers are also Citrix delivery controllers, you may need to use a wildcard certificate, or one that has the common name of the site, and Subject Alternative Names of the servers. In order to do this, you need to:
- Install and bind an SSL certificate to IIS on each server.
- Change the StoreFront Base URL in the Server Group node of the StoreFront management console. Example: https://server.domain.com/
- Propagate the changes to the other StoreFront servers from the Server Group node in the StoreFront Management console.
Caution: When propagating changes, the servers receiving the updated configuration may not have the proper HTTPS redirect in C:\inetpub\wwwroot\web.config. See the following Blog for more details: https://www.peters.com/keep-citrix-storefront-server-groups-sync/
Keep your user credentials safe by securing your StoreFront traffic. Need more information? Email firstname.lastname@example.org, we are happy to help!