This article is a part of a series of three where I describe the installation of 2 storefront servers, secured, load balanced and accessed from external network.
The Storefront servers installation is covered in this first article.
We will cover the certificate creation on NetScaler in the second article.
1/3 : Install and secure the 2 storefront servers
I assume that :
- you have 2 windows 2012 servers (2008 R2 is ok too) which has joined your Active Directory domain and with IIS role installed.
- you have a Microsoft PKI in your domain with web enrollment.
Despite Storefront 2.1 is available from XenDesktop 7.1 ISO, you can download it here (MyCitrix account needed).
On the first Storefront server
First of all, request a certificate for your Storefront web site.
Despite Citrix says that you can secure Storefront after installing and configuring, I don’t recommend it as I still had issues in Storefront 2.0 console when doing so.
Let’s go. Follow the first steps of CTX128257 to create a new template based on Web Server. I name it Citrix Storefront Certificate in the steps below.
Note: if you want to use WebUI as described below, choose “Windows Server 2003 Entreprise” version when you duplicate your template, otherwise your template won’t be selectable on the WebUI.
Then, access to your enterprise enrollment URL and select request a certificate.
Then, choose advanced certificate request.
Choose Create and submit a request to this CA.
Alow the web site to interact with your server.
Fill in the form with the appropriated values. Remember that the name is the named enter by user in Web browser. I recommend to use an alias (e.g. desktop.domain.lan), necessary if you plan to implement multiple servers for load balancing.
Don’t forget to select the right template. It is important because we eventually need to export the certificate for an other Storefront and LB server (further article(s) will discuss these points).
Now you can install the certificate
Allow the website to install the certificate.
Take care of the password complexity. I had trouble with OpenSSL (used by NetScaler) with ‘@’ special character.
On IIS Manager, at server node, select server certificates.
Right-click on the background and select import.
Select the file, enter password and choose Web Hosting as Certificate Store.
Then, at the “Default Web Site node”, select bindings on the Actions pane. Then select the imported certificate. Do the same operation on the second Storefront (import the pfx file and bind certificate).
REBOOT. Otherwise, Storefront doesn’t detect SSL bindings when creating store.
Install storefront. I won’t detail it as it is just a couple of “next, next”.
Storefront console is launched automatically when you click on finish button. Select “Create a new deployment”.
Enter the base URL. This is the URL users will enter in their bowser (eventually bound to your LB VIP).
Enter the Store Name. Pay attention that this name will be visible by users. It is the name of the configuration they will see on their Citrix Receiver software.
Add the delivery controllers. You can skip remote access for now. We will deal with it in another post.
That’s it. The first server is OK. If you have DNS entry pointing at your Storfront server IP configured it should work…
For the second Storefront Server
You have already imported the certificate and bound it to the default web site (see steps above). Launch Storefront setup (CitrixStorefront-x64.exe) and follow the next-next-next wizard.
Go back on the first Storefront server. Launch Storefront console and select “Add Server”. A window pops out with an authorizing code. Write down this code but don’t close the window.
On the second server, the console launches automatically after the installation process. Just select “join existing server group”. You will be prompted to enter the authorizing server and the authorizing code.
That’s it. For testing, you can add a new entry in DNS and round ronbin your 2 servers. See you soon for the NetScaler LB vserver.