Storefront 2.1 – Step by Step from install to secure (1/3)

This article is a part of a series of three where I describe the installation of 2 storefront servers, secured, load balanced and accessed from external network.

The Storefront servers installation is covered in this first article.

We will cover the certificate creation on NetScaler in the second article.

1/3 : Install and secure the 2 storefront servers

I assume that :

  • you have 2 windows 2012 servers (2008 R2 is ok too) which has joined your Active Directory domain and with IIS role installed.
  • you have a Microsoft PKI in your domain with web enrollment.

Despite Storefront 2.1 is available from XenDesktop 7.1 ISO, you can download it  here (MyCitrix account needed).


On the first Storefront server

First of all, request a certificate for your Storefront web site.

Despite Citrix says that you can secure Storefront after installing and configuring, I don’t recommend it as I still had issues in Storefront 2.0 console when doing so.

Let’s go. Follow the first steps of CTX128257 to create a new template based on Web Server. I name it Citrix Storefront Certificate in the steps below.

Note: if you want to use WebUI as described below, choose “Windows Server 2003 Entreprise” version when you duplicate your template, otherwise your template won’t be selectable on the WebUI.

Then, access to your enterprise enrollment URL and select request a certificate.


Then, choose advanced certificate request.


Choose Create and submit a request to this CA.


Alow the web site to interact with your server.


Fill in the form with the appropriated values. Remember that the name is the named enter by user in Web browser. I recommend to use an alias (e.g. desktop.domain.lan), necessary if you plan to implement multiple servers for load balancing.

Don’t forget to select the right template. It is important because we eventually need to export the certificate for an other Storefront and LB server (further article(s) will discuss these points).


Now you can install the certificate


Allow the website to install the certificate.


Once you see the successful installation message, find the installed certificate in the certificate console (under user certificates/personnal).
Export the certificate with the private key.

Take care of the password complexity. I had trouble with OpenSSL (used by NetScaler) with ‘@’ special character.

Select a filename for your exported certificate. Keep this file for next steps and for use in the second StoreFront server.

On IIS Manager, at server node, select server certificates.


Right-click on the background and select import.

Select the file, enter password and choose Web Hosting as Certificate Store.


Then, at the “Default Web Site node”, select bindings on the Actions pane. Then select the imported certificate. Do the same operation on the second Storefront (import the pfx file and bind certificate).


REBOOT. Otherwise, Storefront doesn’t detect SSL bindings when creating store.

Install storefront. I won’t detail it as it is just a couple of “next, next”.

Storefront console is launched automatically when you click on finish button. Select “Create a new deployment”.

Enter the base URL. This is the URL users will enter in their bowser (eventually bound to your LB VIP).

Enter the Store Name. Pay attention that this name will be visible by users. It is the name of the configuration they will see on their Citrix Receiver software.

Add the delivery controllers. You can skip remote access for now. We will deal with it in another post.

That’s it. The first server is OK. If you have DNS entry pointing at your Storfront server IP configured it should work…

For the second Storefront Server

You have already imported the certificate and bound it to the default web site (see steps above). Launch Storefront setup (CitrixStorefront-x64.exe) and follow the next-next-next wizard.

Go back on the first Storefront server. Launch Storefront console and select “Add Server”. A window pops out with an authorizing code. Write down this code but don’t close the window.

On the second server, the console launches automatically after the installation process. Just select “join existing server group”. You will be prompted to enter the authorizing server and the authorizing code.

That’s it. For testing, you can add a new entry in DNS and round ronbin your 2 servers. See you soon for the NetScaler LB vserver.



Citrix, mobility & virtualization @Work / father, husband & geek @home

Tagged with: , , , ,
Posted in Citrix
4 comments on “Storefront 2.1 – Step by Step from install to secure (1/3)
  1. […] The Storefront servers installation is covered in the first article. […]

  2. Craig says:

    This is a great article and i have found very useful. We are looking to install storefront in the coming weeks initially as POC. I just wanted to clarify sonething. The section above with regards to requesting the certificate from the XenApp server, we will noy be doing this for XenApp at present but only XenDesktop. Do i need to request the cert from the DDC’s?

    • jeromequief says:

      Hi Craig,
      It’s more simple to request certificate from the Storefront server because it will be installed on it. But, as you’ve created a certificate template with exportable private key, it is also possible to generate it from every windows server (including DDC). Then export the certificate as a pfx (with privare key) and import it to your Storefront server(s). Thanks for reading.

  3. […] Today, I will explain how to setup a StoreFront server from scratch with Powershell. I will follow my previous post and just unattend it. For This first try, I didn’t join an Access Gateway (Netscaler Gateway) […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: