Today marks a major milestone for Citrix StoreFront, as we’ve announced the general availability of StoreFront 3.5. This release significantly revamps the administration console and PowerShell SDK, which makes the administration of StoreFront much easier.

Here is what’s new in StoreFront 3.5.

Updated administration console


There are a number of significant changes in the administration console:

  • Store centric UI architecture – authentication and Receiver for Web settings are organized around stores to simplify navigation for multi-store deployments.
  • Enable different authentication settings for different stores.
  • Configure delegation of authentication to XenApp/XenDesktop farms/sites.
  • Configure multi-site high availability.
  • Configure optimal NetScaler Gateway routing.
  • Set a Receiver for Web site as the default page for the IIS Website.
  • Configure many other settings previously done with web.config.

You can refer to my previous blog post for further details of the updated administration console.

New administration PowerShell SDK

A new administration PowerShell SDK is introduced in StoreFront 3,5.

  • Cmdlets in the new SDK are prefixed with STF and focussed on administration tasks grouped around StoreFront deployment-wide configuration, Stores, Authentication and Receiver for Web.
  • High-level example scripts are provided to enable you to script and automate StoreFront deployments quickly and easily.

The existing cmdlets prefixed with DS are deprecated. While they will be removed in a future release, they are still available and fully supported in StoreFront 3.5 to enable a gradual transition to the new SDK. Please see my previous blog post for more details.

Configuration export and import

You can export the entire configuration of a StoreFront deployment. The exported configuration can be imported to a deployment with the same StoreFront version for restoration or replication.

To export configuration of a StoreFront deployment, run the PowerShell cmdlet Export-STFConfiguration , which syntax is:

Export-STFConfiguration -TargetFolder <String> -ZipFileName <String> [-Credential <PSCredential>] [-Force <SwitchParameter>] [-NoEncryption <SwitchParameter>]

The output of export is a .zip file if unencrypted or .ctxzip if encrypted. TargetFolder and ZipFileName are the folder path and filename (without extension) for saving the exported configuration. Credential is a PowerShell credential object that contains the password for encrypting exported configuration. NoEncryption indicates that the exported configuration should not be encrypted. There is no need to supply the Credential object if NoEncryption is specified. Force indicates that if there is a file existing in the specified folder with the same file name it will be overwritten. For example, the following code snippet would export the configuration of the current StoreFront deployment in encrypted form to C:\Temp\sf35.ctxzip:

$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$Password = "MySecretPa55w0rd"
$Password = $Password | ConvertTo-SecureString -asPlainText -Force
$CredObject = New-Object System.Management.Automation.PSCredential($User,$Password)
Export-STFConfiguration -TargetFolder "C:\Temp" -ZipFileName "sf35" -Credential $CredObject

To import an exported StoreFront configuration, use the PowerShell cmdlet Import-STFConfiguration, with the following syntax:

Import-STFConfiguration -ConfigurationZip <String> [-Credential <PSCredential>] [-HostBaseUrl <String>] [-SiteId <Int64>]

ConfigurationZip is the file path for the configuration to be imported. Credential is a PowerShell credential object that contains the password to decrypt the configuration to be imported. This is not required if the exported configuration is not encrypted. HostBaseUrl is an optional parameter to specify a different base URL to overwrite the one specified in the configuration to be imported. SiteId is the ID of the IIS Website where the StoreFront deployment resides. The Site ID must be specified if you are importing a configuration to a new development. It should not be specified if you are importing configuration to an existing deployment. The following code snippet would import a previously exported StoreFront configuration to a new deployment with a new base URL:

$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$Password = "MySecretPa55w0rd"
$Password = $Password | ConvertTo-SecureString -asPlainText -Force
$CredObject = New-Object System.Management.Automation.PSCredential($User,$Password)
Import-STFConfiguration -ConfigurationZip "C:\Temp\sf35.ctxzip" -Credential $CredObject '
-HostBaseUrl "" -SiteId 1

Self-service password reset (SSPR)

Users can unlock their Active Directory accounts or reset their passwords via StoreFront. This feature currently works with the Citrix Single Sign-On Service shipped with XenApp 6.5 until a new SSPR Service for XenApp/XenDesktop 7.x is available. To enable this feature in StoreFront,

  1. Select the store you want to enable SSPR in the middle pane of the Administration Console.
  2. Select the Manage Authentication Methods in the task pane.
  3. In the pop-up dialog, select the drop-down menu for User name and password and select Configure Account Self-Service.
  4. Select Citrix SSPR from the drop-down menu.
  5. Select the Configure button.
  6. Enter the SSPR Account Service URL into the text box.
  7. Select Allow account unlock as you like.
  8. Repeatedly select the OK button until all pop-up dialogs disappear.


Zone-based optimal gateway routing

XenApp/XenDesktop 7.7 and above support applications/desktops from different zones in a single site. Please see William’s blog post Deep Dive: XenApp and XenDesktop 7.7 Zones if you would like to learn more about zones.

StoreFront 3.5 supports configuration of a different NetScaler Gateway for HDX connections to applications/desktops hosted in a different zone using the Administration Console. Assuming that you have added a gateway to be used for a zone into the system. To configure an optimal gateway for a zone,

  1. Select the store you want to configure in the middle pane of the Administration Console.
  2. Select Configure Store Settings task in the right pane.
  3. Select Optimal HDX Routing in the pop-up dialog.
  4. Select the gateway in the list.
  5. Select the Manage Zones button.
  6. Select the Add Zone button.
  7. Enter the zone name in the pop-up dialog and select OK.
  8. Select OK again to dismiss the Manage Zones dialog.
  9. If you want the gateway to be used for HDX traffic only when the user is connected externally, select the checkbox in the column External only.
  10. Select Apply or OK to confirm the change.


GSLB powered zone preference

GSLB in NetScaler 11.0-65.x and above can be configured to supply zone preference information to StoreFront. In conjunction with this feature, you can configure StoreFront to direct the launch requests to the most preferred XenApp/XenDesktop sites/farms for the user location. To map a farm/site to one or more zones,

  1. Select the store you would like to configure in the middle pane.
  2. Select the Manage Delivery Controllers task in the right pane.
  3. In the pop-up dialog, select the farm/site you want to map.
  4. Select the Edit button.
  5. In the Edit Delivery Controller dialog, select Settings in the Advanced Settings section.
  6. Select the value cell of the Zones row in the Configure Advanced Settings dialog.
  7. You can then enter one or more zones into the list and select OK when you finish.
  8. Select OK buttons until all pop-up dialogs disappear to confirm your changes.


Background broker health-check

StoreFront 3.5 runs periodical health checks on each XenApp/XenDesktop broker. This helps reduce the impact of intermittent broker availability as StoreFront will have a better idea of which brokers are healthy to process a user request. The frequency of the health check can be configured via the store advanced settings. To access the store advanced settings,

  1. Select the store you would like to configure from the middle pane.
  2. Select the Configure Store Settings from the right pane.
  3. Select the Advanced Settings in the pop-up dialog.


TLS 1.2 support

StoreFront 3.5 supports TLS 1.2.