Installing and Configuring Citrix StoreFront 2.0

With the release of Citrix XenDesktop 7, Citrix also released Citrix StoreFront 2.0. One of the biggest improvements is that StoreFront does not use a Microsoft SQL database anymore! This simplifies the installation because you no longer need to run the database setup scripts. Also the HTML5 HDX Receiver is now fully integrated into StoreFront and is no separate installation anymore.

This guide describes the step-step installation of Citrix StoreFront 2.0, how to configure the StoreFront server, including secure connection over HTTPS, IIS default site redirection, HTML5 HDX fallback receiver and Remote Access with NetScaler Access Gateway.

For the secure connection over HTTPS you need to install a server certificate (described in this guide), make sure you have Active Directory Certificate Servers with the Certification Authority and the Certification Authority Web Enrollment roles installed in your environment.  Also make sure the root CA is installed on every client and StoreFront server.

Installing Citrix StoreFront 2.0


Start the setup, select I accept the terms of this license agreement and click Next


Click Next


Click Install


Click Finish 

The administration console will now start automatically. To enable a secure connection over HTTPS, it is important to first install the server certificate before configuring StoreFront. 

Installing a Server Certificate

When using more than one StoreFront servers in your environment, make sure you have a DNS Host (A) record created pointing to the StoreFront load balancer address. It’s important to use that name for the server certificate.


Open the Internet Information Services (IIS) Manager and open Server Certificates


On the right side of the window click Create Certificate Request


Fill in the requested information. By Common name fill in the StoreFront load balancer address, for this case I use “storefront.hobo.lan”.


Select Microsoft RSA SChannel Cryptographic Provider and a 2048 bit length.


Save the request to a text file and click Finish


Open Internet Explorer and browse to http://<your Certification Authority server/certsrv
Click on Request a certificate


Click on advanced certificate request


Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file


Open the saved request file, select all text and copy the text into the Save Request field. Select Web Server as Certificate Template and click Submit


Select Base 64 encoded and click Download certificate to download the certificate file.


Go back to the Internet Information Services (IIS) Manager and click Complete Certificate Request


Browse to the certification file, enter a Friendly name, and select Personal as certificate store. Click OK


On the left side of the window, select Default Web Site, on the right side, click Bindings


Click Add


Select HTTPS as Type and select the StoreFront SSL certificate. Click OK


Click Close

Configuring Citrix StoreFront 2.0

In the next part I will setup the Store and configure the basic settings including adding the NetScaler, edit the authentication methods, configuring trusted domains and manage password options.


Open the StoreFront management console and click on Create a new deployment


The Base URL is filled in automatically, click Next


Enter a Store name (anything you like) and click Next


Click Add


Fill in the requested information about the Delivery Controller you want to add and click OK


If you want to add more Delivery Controllers click Add again, otherwise click Next


Now you can add the NetScaler Gateway. This step is optional, if you do not have a NetScaler configured in your environment you can select None. For this blog I will add my NetScaler, so I select Full VPN tunnel and click on Add


Fill in the requested information for the NetScaler. The NetScaler Gateway URL is “HTTPS://<domainname>/Citrx/<storename>Web”. The Subnet IP address is optional and can be left blank. Click Next


Click Add


Enter the STA of you Delivery controller and click OK


Click Create


Click Create


Click Finish


On the left side click Authentication, on the right side click Add/Remove Methods


Select what is applicable and click OK


Click on Configure Trusted Domains


When configuring a Trusted Domain, the user does not need to enter the domain name at logon. Configure what is applicable and click OK.


Click on Manage Password Options


Select what is applicable and click OK

 IIS Default site redirection

 In the Citrix StoreFront management console there is no option to set the StoreFront Receiver for Web URL to the server default website like the old Citrix Web Interface (WI). Without configuring Default site redirection, a user always needs to enter the full StoreFront Receiver for Web URL, including the “/Citrix/<storename>Web. A good way to configure this is within the Internet Information Services (IIS) Manager.


Open the Internet Information Services (IIS) Manager. On the left side browse to the Default Web Site. On the right side double click HTTP Redirect


Select Redirect requests to this destination and add your StoreFront Receiver for Web Site URL. Select Redirect all request to exact destination and Only redirect requests to content in this directory. Click Apply on the button in the top right corner.

Now when a user enters the default web site URL he will be redirected to the StoreFront Receiver for Web URL.

Enable the HTML5 HDX fallback receiver

This cool feature is now fully integrated within StoreFront 2.0, you only have to enable it within the StoreFront management console.


On the left side click on Receiver for Web, on the left side click on Deploy Citrix Receiver


Select Use Receiver for HTML5 if local install fails, this will first check if a local Receiver is available and if not, the webinterface will give the option to download and install it. If the installation fails or the users logs in without installing it, the webinterface falls back to the Receiver for HTML5.

 Or, select Always use Receiver for HTML5, now the web interface will always use Receiver for HTML5, it will not check for a local installed version and it will not give the option to download it at logon.

 Click OK

If you connect to the StoreFront webinterface trough the NetScaler these steps are enough to let the HTML5 receiver work. But if you connect local to the StoreFront webinterface you have to apply the following Citrix Computer Policies to your XenApp and/or XenDesktop servers first;


WebSockets Connections – Allowed
WebSockets port number – 8008 (default)
WebSockets trusted origin server list – *

When using Mozilla Firefox users must set network.websocket.allowInsecureFromHTTPS to True in the about:config


You can now logon to the Citrix StoreFront webinterface and start your published applications and desktops.


If the HTML5 Receiver is configured well, a Windows 8 Published desktop will open in a new browser tab as shown in the picture above, how cool is that? 😉


  • Hi, can we create storefront to access via internet? if yes, please provide the steps.


  • Is it mandatory to use an ssl certificate for storefront, if so that means you need 1 certificate for Netscaler Access gateway and another for storefront?

    • It is highly recommended to use an SSL certificate for StoreFront but it is optional. For the NetScaler Access Gateway you need an SSL certificate to let it work correctly.So yes, if you want to use an SSL certificate for StoreFront you need 2 certificates.

  • Thanks for the great Post actually I’m planning to deploy the Store front 2.0 , App controller 2.8 and as Far as i know the integration between the store front and App controller just to integrate the Xen APP and Xen Desktop with App controller what i want to know what is the benefits of this integration this the first thing and the second thing regarding the certificate i just want to confirm the below:
    in my topology i need one public IP Address on Netscaler and Signed Certificate from My CA to Store front and App Controller right.

    Thanks very Much

  • thanks,
    1, if you use 2 certificates for both access gateway and storefront, which common name will users type in browser to connect to published apps?

    2, if storefront ssl certificate is optional, how do you skip that step when configuring it?

  • Hello Knight,

    1) You use one certificate for the NetScaler with the common name you configure (external url like or, any name you like. See for the steps this blog:

    2) You can skip this step by not configuring a SSL certificate on the server where you going to install StoreFront. See this blog where I don’t use SSL for StoreFront, as you can see during setup it automatic will uses http not https:

  • Hi Robin,

    many thanks for your help, I now have my netscaler and storefront setup and working. I owe you an good ole English pint.

    Any idea how I can change the receiver logo to my company’s one on the storefront front end?

  • Hi Robin,

    Nice Article again thx! , I was testing this for html5 , access but some steps are missing. You also need to install the html 5 client pack at the storefront server and configure it as described at maybe adding that to this article to makes it completely perfect 🙂
    Keep up the good work


  • Whoops my mistake .. you do not need to install the HTML5 HDX Engine with Storefront 2.0 anymore so forget my comments

  • Thanks for this!

    I do not have the “Deploy Citrix Receiver” option on the right. What am I missing?

  • Hi Robin,

    Great article…just what I need for installing StoreFront.

    Quick question though does StoreFront 2.0 have legacy support for the services (If I say like the old web interface web services feature)?

    If I remember in your 1.2 article you mentioned that version did wondered if this version did too.

    Big thanks


  • Hi Robin great post!! but i´m a little confused.

    I have a DC with AD CS and 2 StoreFront servers. I have a host A created

    Where creates the certificate? in the DC or in each StoreFront Server?

    • Hallo Jack, does the A record point to an LB address? You can create the request file everywhere you like as long as you install the certificate on both StoreFront servers.

  • I have another issue, in your example use NetScaler Gateway i not, i only set the controllers (XenDesktop) to work on HTTPS:443. But i get “there are no apps or desktops assigned to you at this time” if a change to HTTP:80 work fine, what is the problem?.

    I have configured the IIS with certificate HTTPS and HTTP.

  • Great article. Thank you very much. Pretty much identical for the StoreFront 2.1 setup I am currently involved with

  • I am new to XD coming from XenApp 5.0 and have a couple of questions:-

    From what I have read, I can load balance 2 or more StoreFront servers without the need for a Netscaler, Is that correct?

    If I apply for some SSL certs on the StoreFront servers, always use the load balanced FQDN as specified in DNS?

    For the StoreFront Servers I have in mind, I will be installing the Deliver Controller component at the same time. To keep things simple, can I then point these 2 SF servers to the SQL box (Express preferred to keep the licence cost down).

    By the way, great tech article!

    • Hello Chris,

      You can load balance 2 StoreFront servers without NetScaler, you can configure it for example with NLB. Make sure that both StoreFront servers are member of the same StoreFront server group. For the SSL certificate always use the LB DNS name, otherwise it will not work. Install the SSL certificate on both StoreFront servers before starting the StoreFront configuration. StoreFront 2.0/2.1 don’t use a SQL database anymore.



  • Hi Robin,

    Please confirm that I do not need to set up an SSL cert on the windows NLB server, just the Storefront servers, using the NLB fqdn.

    • You need to install the SSL certificate on all the StoreFront servers that are part of de NLB, not the NLB server itself.

  • Have you found any issues with certificates on Storefront?
    In the last couple of days I have faced a problem where something in the process of creating, completing and exporting the certificate that in the end will be used on the storefront server. Causes storefront to not work.
    if you browse to storefrong using fqdn it never takes you to a logon page, but rather it returns a message that it cannot complete the request.

    Could it be that if the CSR is not generated with on the storefront server, but on another server using IIS. That this would cause a problem?

    I guess what I want to confirm, what is the best way to generate the CSR for a URL?

    • It does not matter where you create the CSR. To be sure, did you type /Citrix/ behind the fqdm url?

  • Hi Robin,

    Thank you very much for sharing your knowledge on how to configure the various different Citrix components.

    Do you happen to know of how to figure out the powershell scripts that get run behind the GUI when the Storefront is configured?

    I would like to automate the install and configure as much as possible for lab use because I now use evaluation versions of Windows OS it just expires.

  • Hi
    Great article. I am trying storefront in test lab without certificate . Followed everything u said above but when try to browse the store from internet explorer it comes with http 404 not found. Let me know how to troubleshoot pls
    Thanks in advance

  • First great article, 2 questions should you have 2 SF sites ie 1 for Internal and 1 for External also will redirection without SSL certs work from NS Gateway to Storefront

    • Thanks, you can use 1 site for both internal and external connections. Traffic from the NetScaler to the StoreFront can be HTTP but Citrix recommends to use HTTPS for internal traffic as well.

  • Hi,

    Excellent article. I have gone through the steps and it works great..Can you guide implement Netscaler with MDM and App Controller

  • Hi,

    In the section where you “Add Site Binding” to port 443, Do you not need to enter in the Hostname as well?



  • I have found this article and the one you wrote about configuring the NetScaler Access Gateway to be very useful to me in setting up my new XenApp deployment but I’m having some issues and have a couple questions that I’m hoping you can answer for me. I have a single XenApp server and I do not use a DMZ in my network. I have a Storefront server and a NetScaler VPX (the free one) set up.

    1. Both of your articles that I mentioned above mention configuring and installing SSL certs. Do I need to purchase two separate certificates? (one for SF and one for NS) or can I get by with just a single one on the NS?

    2. To get all of the autodiscover to work great for my users when they use the Receiver client (internally and externally), I should have all DNS pointing to the NS, right?

    Thanks again for writing these articles. They’ve been very helpful.

    • Hello Chris, Only for the NS you need to purchase a SSL certificate, for the internal StoreFront you can use a SSL certificate created by your own CA as long as you install the Root CA on al your clients.

      • Great article especially for a newbie like me.
        If using internal generated SSL for storefront servers, is there anything I need to configure on Netscaler to recognize internal CA or dos it matter?

        • Upload the Root certificate of your internal CA to the NetScaler to let it work.

  • hello,
    This is an excellent document that you produced, I would like to know if you have a tutorial for mobile access to XenDesktop and xenapp via vpn without NetScaler

  • I have installed the storefront and when I try to add the storefront to the Citrix Studio MMC I get the following error.

    Citrix.Console.Models.Exceptions.ObjectNotFoundException Cannot find path ‘GPO_SfStorefrontAddress_User:\User\Unfiltered\Settings\Receiver\StorefrontAccountsList’ because it does not exist

  • Great article, thanks…I have a working StoreFront 2.5 which I successfully can approach from Chromebox in case no proxy server is filled in, the moment I fill the proxy server in order to allow clients use the internet directly I can log on the StoreFront, I see the apps but I can not start them; any thoughts on this issue will be apreciated

  • Great Article,Thank you
    Just one to point out
    All of your articles are really good.
    Thank you for making a difference for all of us in the industry.

  • Thanks Robin! I’m glad to know there a people sharing knowledge.. Cheers from Brasil!

  • Awesome articale Robin. Quick question if I purchased a certificate from Go-Daddy, how would that apply in this article of yours? Do I still go ahead and create a server certificate or should I use the one from Go-Daddy for both the server and Netscaler?

    • For internal use you can use your own certificate authority, if you need access externally, you need to have a public trusted SSL certificate for on your NetScaler.

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.