Have you ever wondered what the Subnet IP address (SNIP) is used for when configuring StoreFront? It’s a widely discussed topic that comes up when deploying StoreFront for remote access through NetScaler Access Gateway. First off, many administrators who only maintain the virtualization portion of their environment may not even know the SNIP is or what it is used for. The SNIP is an IP addresses configured on the NetScaler that is used when communicating with backend resources. In the case of StoreFront, the Access Gateway component that resides on NetScaler communicates with StoreFront, passing-through a user’s credentials and resource requests.

StoreFront attempts to use the SNIP address to identify if a user is connecting in remotely through Access Gateway or from the local network. When StoreFront identifies the remote IP address as the SNIP address, it believes the connection is coming from an external user through Access Gateway. It will then authenticate the user against the Gateway authentication service. A problem arises though when the same NetScaler is used for Access Gateway and load balancing StoreFront for internal access. In this scenario, the SNIP address will also be returned as the remote IP address when accessing StoreFront internally since it is also being load balanced on the NetScaler.

So, should you leave the SNIP address blank, use a non-routable IP, or what about Net Profiles? It is recommended the SNIP be left blank when using the same NetScaler for load balancing. Assigning a Net Profile to the StoreFront load balancing vServer on the NetScaler is another workaround that has been discussed. Assigning a Net Profile to a vServer allows it to utilize a different SNIP address for backend communication. While using Net Profile seems that it solves the issue, there is still one problem, Access Gateway does not support Net Profile. Due to the NetScaler architecture, when two SNIP addresses are configured, it uses both in a round robin fashion. This means that although the StoreFront vServer will always use the same SNIP, Access Gateway will switch between the two.

I’m glad to say that beginning with StoreFront 2.0, entering a Subnet IP is now optional! In previous versions (1.2 and below), it was recommended that if issues occurred, a fake IP address (ex: 1.1.1.1) should be entered as the SNIP. In StoreFront 2.0, you can simply leave the SNIP address field blank. When left blank, StoreFront 2.0 will detect an incoming connection through Access Gateway by checking the request against the configured list of Access Gateways defined during the gateway configuration. As long as the Access Gateway hostname matches and the callback is configured appropriately, remote access will work!

To help troubleshoot any issues encountered with StoreFront, it is recommended to enable debug logging. When enabled, it is possible to identify the IP addresses StoreFront is capturing when a connection is made. The log below displays an internal connection to StoreFront that is being load balanced on NetScaler. Since SSL is enabled, the X-Forwarded-For header is used on the StoreFront load balancing vServer on the NetScaler to pass-through the endpoint device IP.

Below are some examples of the data you will see when enabling debug logging. For reference, 192.168.1.108 (Endpoint Device), 192.168.1.233 (SNIP), 192.168.1.176 (StoreFront Server).

 Internal Access with No SNIP Specified

Citrix.DeliveryServices.GatewayIdentification Verbose: 0 : Attempting to detect gateway for data:

XCitrixGateway=
XCitrixVia=
XCitrixViaVip=
XForwardedFor=192.168.1.108,192.168.1.233, 192.168.1.176
RemoteAddr=192.168.1.233

When SNIP Matches :

Detected:Name: ‘3befbc9a-b9df-4627-8f47-cd3ae8310fe8’ IdentifiedAddress:192.168.1.233 IdentifiedHost:mydomain.com