StoreFront – in DMZ or not


The location in which you deploy the StoreFront depends on a number of factors, including:

  • Security – verify required security level and select the scenario which will be complaint with approved company standards.
  • Authentication – when users log on, either NetScaler Gateway or the StoreFront can authenticate user credentials. The location where you place the StoreFront in your network is a factor that determines, where users will be authenticated.
  • User software – users can connect to the StoreFront with either the NetScaler Gateway Plug-in or Citrix Receiver. You can limit the resources users can access by using Citrix Receiver only, or give users greater network access with the NetScaler Gateway Plug-in. How users connect, and the resources to which you allow users to connect can help determine where you deploy the StoreFront in your network.

The configuration of your network and your security policies determines where you deploy StoreFront to allow remote users to access published resources. Three possible StoreFront deployment scenarios are the following:

1. StoreFront in the Secure Network

In this scenario, the StoreFront resides in the secure, internal network. NetScaler Gateway is installed in the DMZ and authenticates user requests before sending the requests to the StoreFront. The StoreFront does not perform authentication, but interacts with the STA and generates an ICA file to ensure that ICA traffic is routed through NetScaler Gateway to the proper server. For small installations this is the default deployment scenario. The example of this design is shown in the Figure 1.


Figure 1

Important note: When the StoreFront is located in the secure network, authentication should be enabled on NetScaler Gateway, otherwise unauthenticated HTTP requests are sent directly to the server running the StoreFront. Disabling authentication on NetScaler Gateway is recommended only when the StoreFront is in the DMZ and users connect directly to the StoreFront.

2. StoreFront in the DMZ

In this scenario decision where user will be authenticated determines where StoreFront will be located according to location of Netscaler gateway. There are two configurations possible:

2a. StoreFront behind NetScaler Gateway in the DMZ

In this configuration, as shown in figure 2, both NetScaler Gateway and StoreFront are deployed in the DMZ and authentication is configured on NetScaler Gateway. When users log on with Citrix Receiver, the appliance sends the NetScaler Gateway logon page to the user. The user enters authentication credentials on the logon page and the appliance authenticates the user. NetScaler Gateway then returns the user credentials to the StoreFront. NetScaler Gateway acts as a reverse web proxy for the StoreFront to route all HTTPS and ICA traffic through a single external port and require the use of a single SSL certificate.


Figure 2

2b. StoreFront parallel to the NetScaler Gateway in the DMZ

In this configuration, as shown in figure 3, both NetScaler Gateway and the StoreFront are deployed in the DMZ and authentication is disabled on NetScaler Gateway. Users connect directly to the StoreFront by using a web browser or Citrix Receiver. The connection occur as follows:

  • User connections are first sent to the StoreFront for authentication. After authentication, the connections are routed through NetScaler Gateway.
  • After users log on successfully to the StoreFront, they can access published applications or desktops in the server farm.
  • When users start an application or desktop, the StoreFront sends an ICA file containing instructions for routing ICA traffic through NetScaler Gateway as if it were a server running the Secure Gateway.
  • The ICA file delivered by the StoreFront includes a session ticket produced by the Secure Ticket Authority (STA). When Citrix Receiver connects to NetScaler Gateway, the ticket is presented. NetScaler Gateway contacts the STA to validate the session ticket. If the ticket is still valid, the user’s ICA traffic is relayed to the server in the server farm.



Figure 3

3. StoreFront in the double-hop DMZ

Double-hop DMZ is used to provide an extra security level and is based on three firewalls to divide the DMZ into two stages.  You can deploy NetScaler Gateway appliances in a double-hop DMZ to control access to servers running Citrix XenApp. The connections in a double-hop deployment occur as follows:

  • Users connect to NetScaler Gateway in the first DMZ by using a web browser and by using Citrix Receiver to select a published application.
  • Citrix Receiver starts on the user device.
  • The user connects to NetScaler Gateway to access the published application running in the server farm in the secure network.
  • NetScaler Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This NetScaler Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.
  • NetScaler Gateway in the second DMZ serves as a NetScaler Gateway proxy device. This NetScaler Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm.
  • Communications between NetScaler Gateway in the first DMZ and the Secure Ticket Authority (STA) in the secure network are also proxied through NetScaler Gateway in the second DMZ.
Known limitations:
If you deploy NetScaler Gateway in a double-hop DMZ with StoreFront, email-based auto-discovery for Receiver does not work.
Worx Home and the NetScaler Gateway Plug-in are not supported in a double-hop DMZ deployment. Only Citrix Receiver is used for user connections.
If you deploy NetScaler Gateway in a second DMZ in two-hop setup you can only use ICA Proxy functionality. End Point Analysis are not available.

The standard double-hop DMZ configuration with Citrix StoreFront installed parallel to the NetScaler Gateway proxy is shown in Figure 4 . Users connect by using Citrix Receiver.



Figure 4