Most every production environment you will implement Citrix Storefront on more than one servers to provide high availability (HA) and for load balancing (LB). In this step-by-step guide I will show you how implement Citrix Storefront 2.5.2 on multiple servers and how to configure the load balancing on a NetScaler 10.5 from beginning to the end.


For this setup you need the following;

  • At least two servers with static IP address for the installation of Citrix Storefront
  • A Citrix NetScaler 10.x up and running with the basic configuration
  • A free IP address for the Load Balance vServer on the NetScaler
  • A DNS record pointing to the free IP address for the vServer
  • A server with the Certification Authority and Certification Authority Web Enrollment roles installed on it

My environment

For this setup I will use the following components;

  • Citrix Storefront server 1 running Win2012R2, IP
  • Citrix Storefront server 2 running Win2012R2, IP
  • Citrix NetScaler 10.5
  • Free IP address for Load Balancing vServer:
  • DNS Record: Storefront (pointing to
  • My internal CA is running on server DC1



It’s a Citrix best practice to configure Storefront with HTTPS to secure the traffic. If you use the newest Citrix Receiver or wants to integrate the Citrix AppController with Storefront it’s even a requirement. To secure the traffic you need a SSL certificate, and in a situation where you implement more than one Storefront servers and will load balance these servers as in this case, all Storefront servers including the NetScaler needs a SSL certificate for the same hostname. Therefore use a generic hostname, for example storefront.domain.lan.

You can generate an SSL certificate for each server or generate one SSL certificate on a server and export it so you can install it on the other servers, both ways will work.

In this case I will create a certificate on the NetScaler and export it so I can install it on the Storefront servers. Keep in mind that you also need to install the internal Root CA on the NetScaler, these steps are also included in this guide.

Step 1 – Create and install a SSL Certificate on the NetScaler

In the following steps I will create and install a SSL Certificate on the NetScaler and I will also install the internal Root CA on the NetScaler.

Login to the Citrix NetScaler web GUI and browse to Traffic ManagementSSL. On the right side click Create RSA Key

Fill in the following information;

Key Filename: storefront.key
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above

Click on Ok

Click on Create CSR (Certificate Signing Request)

Fill in the following information;

Request File Name: storefront.txt
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step

Scroll to the bottom of the page and fill in the following information;

Country: Your Country
State or Province: You State or Province
Organization Name: The name of your organization
City: Name of  your City
Email Address: a valid email address
Organization Unit: Your Organization Unit
Common Name: storefront.hobo.lan (replace with your hostname and domain name)
Challenge Password: A password you like
Company Name: Your Company Name

Click OK

To download the request file click on Manage Certificates / Keys / CSRs 

NOTE: If using a version below NetScaler 10.5 build 51.x use another tool for downloading files like WinSCP. There is a bug in version 10.5 build 50.x that adds a error line in every file!

Select the storefront.txt file and click Download

Open a web browser and go to your Certification Authority Web Enrollment page (for example https://dc.hobo.lan/certsrv)

To download the Root CA first, click on Download a CA certificate, certificate chain, or CRL

Select Base 64 and click Download CA certificate

Go back to the main screen and click on Request a certificate

Click on advanced certificate request

Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file

Copy the text from the storefront.txt (request file) into the Saved Request window. Select Web Server as Certificate Template. Click Submit

Select Base 64 encoded and click on Download certificate

Open the Citrix NetScaler console and browse to Traffic ManagementSSLCertificates. Click Install

Fill in a Certification name, for example <domain>-CA. Browse (local) to the Root certificate and click Intall

Click on Install again

Fill in a certificate name, for example storefront.<domain>.lan. Browse (local) to the storefront.cer file and browse (appliance) to the storefront.key file.

Enter the Password and click Install.

Right click the storefront.<domain>.lan certificate and click Link

Select the Root CA certificate and click OK

Browse to Traffic ManagementSSL and click on Export PKCS#12

Fill in a File Name, in this case storefront.pfx, and select the storefront.cer and the storefront.key files. Enter the Export Password and the PEM Passphrase. Click OK

Click on Manage Certificates / Keys / CSRs 

Select the storefront.pfx file and click Download

Copy the storefront.pem file to both Storefront servers.

Step 2 – Install Citrix Storefront 2.5.2 (on both Citrix Storefront servers)

In the next steps I will install Citrix Storefront 2.5.2, this needs to be done on both Storefront servers

Start the Storefront setup. Select I accept the terms of this license agreement and click Next

Click Next

Click Install

Click Finish

When the Storefront console starts (automatically) close it.

Step 3 – Install the SSL certificate on the Storefront servers (on both Citrix Storefront servers)

The next step is to install the SSL certificate on both Storefront servers before starting with the Storefront configuration.

Open the Internet Information Services (IIS) Manager. On the left side select the server. In the middle of the screen dubble click on Server Certificates

Click on Import

Select the storefront.pfx file and fill in the Password. Click OK

On the left side, browse to the Default Web Site, on the right side, click Bindings

Click Add

Select https as type and select the storefront SSL certificate. Click OK

Step 4 – Configuring Citrix Storefront 2.5.2 (on server 1)

In the following steps I will configure only the basic settings in Citrx Storefront (for configuring Citrix Storefront for remote access see my blog about that here). These steps must only apply on the first server.

Open the Citrix Storefront console and click on Create a new deployment

The base url is automatic configured with the HTTPS URL. Click Next

Fill in a Store name and click Next

Click Add to add your Delivery Controllers

Fill in the information of your delivery controller and click OK

Click Next

I will skip Remote Access for now. Click Create

Click Finish

Step 4 – Joining the second Storefront server to the Server group

Once you configured the first Citrix Storefront server you can join the second one. The second Storefront server will receive the complete configuration of the Citrix Storefront Server Group.

To do so, follow these steps;

On the first server, open the Server Group page and click on Add Server

You now see an Authorizing Server and a Authorization code. These info must be entered on the second server when joining.

On  the second server, open the Citrix Storefront console. Click on Join existing server group.

Fill in the information from the first server and click Join

Click OK

After a refresh you will see that the server is synchronized and that all the servers now have the same configuration.

Step 5 – Configure Storefront Load Balancing on the Citrix NetScaler

Now that Citrix Storefront is up and running on two servers it’s time to configure the Load Balancing on the NetScaler. For that, I will create 2 servers, 1 monitor, 1 services group and the Load Balancing vServer.


On the Citrix NetScaler, open the Configuration tab and browse to Traffic Management > Load Balancing > Servers

Click Add

Fill in a Server Name, for example “Citrix Storefront 1″. Select IP Address and fill in the IP Address of the first Citrix Storefront server and click Create

Click on Add again to add the second Storefront server.

Fill in a Server Name, for example “Citrix Storefront 2″. Select IP Address and fill in the IP Address of the second Citrix Storefront and click Create


Browse to Traffic Management > Load BalancingMonitors

Click Add

Fill in a Name, for example “Storefront Monitor” select STOREFRONT as Type.


Browse down to the bottom and enable Secure. Browse back to the top.

Open the Special Parameters tab. Fill in the Storefront Store Name and click Create

Browse to Traffic Management > Service Groups. Click Add

Enter a Name, for example Storefront Group. Select SSL as Protocol and click Continue

Click Settings


Click on the Settings edit button

Enable Client IP and enter the following Header: X-Forwarded-For. Click Save.

Click on Members

Click on the arrow on the right side of the Service Group Members


Click Add

Select Server Based and select the first Citrix Storefront server. Configure 443 as port and click Save

Click Add again

Select Server Based and select the second Citrix Storefront server. Configure 443 as port and click Save

Click Close

Click on Monitors

Click on the arrow on the right side of the Members

Click Add

Select the Storefront Monitor and click Insert

Click Save

Click Done

The Storefront Services Group is now created, if everything is correct the Effective state is UP

Browse to Traffice Management > Virtual Servers and click Add

Fill in a Name, for example Storefront LB. Configure SSL as Protocol. Select IP Address Type, IP Address and enter an available (free) IP Address for the Storefront Load Balancing vServer.

Set the port to 443 and click Continue

Click Continue

Click on Services Group

Click on the arrow on the right side of the Services Group

Click Bind

Select the Storefront Group and click Insert

Click Save

Click on Persistence

Select SOURCEIP as Persistence and set the Time-out (mins) at 20. Click Save

Click SSL Certificate

Click on the arrow on the right side of Certificates, Server Certificates

Click Bind

Select the storefront.domain.lan and click Insert

Click Save

Click on the arrow on the right side of Certificates, CA Certificates

Click Bind

Select the internal Root CA and click Insert

Click Save

Click Done


The final step is to test the configuration. For that I have changed the backgrounds of the Citrix Storefront servers. Citrix Storefront 1 will be the one with the red background, Citrix Storefront 2 will be the one with the blue background.

For this test I will browse to my Storefront Load Balancing address: https://storefront.hobo.lan/Citrix/HoboWeb

As you can see I’m landing on the first Citrix Storefront server.

To test the load balancing I turned off Citrix Storefront server 1. When looking at the Server Group Members, you can see that the first Citrix Storefront has the Down Service State.

When reloading the Storefront page I’m now landing on the second Citrix Storefront server, as you can see with the blue background. So, Load Balancing is working fine!