Citrix StoreFront HTTPS Redirection in a Load Balanced Environment

When logging into a StoreFront site and using HTTP, the user credentials are passed across the network in plain text. This can be a security risk since a malicious actor can obtain the user’s credentials. StoreFront traffic can be secured with HTTPS using an SSL certificate. The base URL can also automatically redirect the user to an HTTPS login page. This blog outlines how to help keep your credentials safe.

Redirecting to HTTPS with a single server

In this scenario, securing the StoreFront site is accomplished by using an SSL Certificate.  In order to do this, you need to:

  • Install and bind an SSL certificate to IIS.
  • Change the StoreFront Base URL in the Server Group node of the StoreFront management console. For example: https://server.domain.com/

Now, when users just browse to server.domain.com (HTTP by default) they will automatically get redirected to the secure site using HTTPS.

Redirecting to HTTPS when using multiple servers for load balancing

Securing a load balanced StoreFront site when you have multiple servers improves fault tolerance of the site, distributes load, and allows patching StoreFront servers without an outage. There are several options to load balance. Using a load balancer like Citrix NetScaler is preferred but you can use other 3rd-party load balancers as well. Microsoft Network Load balancing and DNS round robin can also be alternatives depending on your environment. In any case, you will need an SSL certificate with the common name of the site. If those same StoreFront servers are also Citrix delivery controllers, you may need to use a wildcard certificate, or one that has the common name of the site, and Subject Alternative Names of the servers. In order to do this, you need to:

  • Install and bind an SSL certificate to IIS on each server.
  • Change the StoreFront Base URL in the Server Group node of the StoreFront management console. Example: https://server.domain.com/
  • Propagate the changes to the other StoreFront servers from the Server Group node in the StoreFront Management console.

Caution: When propagating changes, the servers receiving the updated configuration may not have the proper HTTPS redirect in C:\inetpub\wwwroot\web.config. See the following Blog for more details: https://www.peters.com/keep-citrix-storefront-server-groups-sync/

Keep your user credentials safe by securing your StoreFront traffic. Need more information? Email info@peters.com, we are happy to help!

By |2018-12-18T11:49:01-05:00April 20th, 2018|Infrastructure Services|Comments Off on Citrix StoreFront HTTPS Redirection in a Load Balanced Environment

About the Author:

As a Solutions Architect at Peters & Associates, Terry Felesena is responsible for high level architecture, design, and review of complex virtualization solutions, as well as mentoring and troubleshooting guidance. Terry has been with Peters & Associates for over two decades. Application Virtualization: Terry has a vast knowledge base regarding XenApp, XenDesktop, and Terminal Services. He has had numerous projects involving the design, implementation, and support of using industry best practice methodology. Terry has recently completed projects with large numbers of servers and thousands of concurrent users. Designs and implementations include high availability and redundant access points via Internet, WAN and local connectivity. Server Virtualization: Through assessments, Terry has been integral in providing optimal designs and sizing to support virtualizing mission critical applications. Implementations are based on zero impact to production and maintaining server uptime.