storefront 结构 cloudgateway

http://support.citrix.com/proddocs/topic/dws-storefront-10/dws-plan.html

http://support.citrix.com/proddocs/topic/clg-deployment/clg-deployment-cloudgateway-options-con.html

 

Planning Your Receiver Storefront Deployment

Updated: 2012-02-20

Receiver Storefront employs Microsoft .NET technology running on Internet Information Services (IIS) along with Microsoft SQL Server to provide authentication and resource delivery infrastructure for Citrix Receiver. Receiver Storefront integrates with your existing XenDesktop and XenApp infrastructure.

The figure shows the components in a typical multiple server Receiver Storefront environment.

A typical Receiver Storefront deployment consists of the following components.

Receiver Storefront Components

The following services provide the functionality of Receiver Storefront.

• Authentication service—authenticates users to XenDesktop sites, XenApp farms, and AppController, handling all interactions to ensure that users only need to log on once.
• Store—retrieves user credentials from the authentication service to authenticate users to the servers providing the resources. Enumerates the resources currently available from the servers and sends the details to Citrix Receiver.
• Receiver for Web site—enables users to access stores through a Web page.
• Resource subscription database—stores details of user subscriptions plus associated shortcut names and locations.

Other Citrix Components

The following Citrix products and technologies integrate with Receiver Storefront to enable you to provide and deliver desktops and applications to your users.

• Citrix Receiver—presents the resources and services available across the configured stores. Enables users to subscribe to and organize their resources.
• Access Gateway—secures access to resources for remote users over public networks.
• XenDesktop/XenApp—provide desktops, content, and online and offline applications.
• AppController—enables pass-through authentication to both internal Web applications and third-party SaaS solutions. Provides centralized user account provisioning and reporting.

Third-Party Components

The following third-party products integrate with your Receiver Storefront deployment to provide additional functionality.

• External load balancer—provides for failover between servers and balances server loads in a multiple server Receiver Storefront deployment.
• Web apps—applications accessed through a Web browser and hosted on the internal network.
• SaaS apps—Web applications hosted externally by third parties and delivered over public networks.

Three of the core components of Receiver Storefront, the authentication service, the stores, and the Receiver for Web sites, run on IIS. The other main component, the resource subscription database, requires SQL Server. Receiver Storefront can be configured either in standalone mode, with all the components installed on a single server, or as a multiple server deployment. For single-server deployments, SQL Server must be installed locally on the Receiver Storefront server. In multiple server environments, the resource subscription database can be hosted on one of the Receiver Storefront servers or on a dedicated database server.

Receiver Storefront servers and the resource subscription database must reside within the same Active Directory forest as the XenDesktop and XenApp servers hosting users' resources. For multiple server deployments, all the Receiver Storefront servers in the group must reside within the same domain.

To configure a multiple server deployment for high availability, install your Receiver Storefront servers within a load balanced environment. Configure the external load balancer for failover between servers to provide a fault-tolerant deployment. Consider implementing database mirroring or clustering to enable automatic failover and provide high availability of the resource subscription database.

Include AppController in your deployment to provide pass-through authentication for Receiver Storefront users to Web applications hosted on the corporate network and to software-as-a-service (SaaS) applications provided by third parties over public networks. This enables you to deliver Web applications seamlessly to users through Receiver Storefront stores alongside XenDesktop and XenApp resources.

Users can either access Receiver Storefront stores directly through Citrix Receiver or they can use a Web browser to log on to a Receiver for Web site for the store. To access their desktops and applications, users require a compatible version of Citrix Receiver. If you plan to deliver offline applications to your users, the Offline Plug-in is also required. To access stores through Receiver for Web sites, users require a compatible Web browser in addition to Citrix Receiver. You can enable limited support with reduced functionality for users with older clients that support Web Interface XenApp Services sites. For more information, see Configuring Stores.

Deploy Access Gateway to secure user connections to Receiver Storefront stores and Receiver for Web sites over public networks. Receiver Storefront uses the Access Gateway authentication service to provide pass-through authentication for users from outside the corporate network so that they only need to enter their credentials once. Currently, the Receiver Storefront authentication service does not support smart card authentication or two-factor authentication. However, you can configure Access Gateway for two-factor authentication and enable pass-through authentication from Access Gateway to Receiver Storefront. For more information about configuring Access Gateway Enterprise Edition for Receiver Storefront, see http://support.citrix.com/article/CTX131908.

To ensure that users do not have to log on separately to each store, all stores must use the same authentication service. This means that for a single-server deployment, all stores must be hosted on the same Receiver Storefront server. In multi-server deployments, all stores must use a single authentication service hosted on one of the servers in the deployment.

When planning your Receiver Storefront deployment, consider the following recommendations.

• Citrix recommends hosting Receiver Storefront on a dedicated instance of IIS. Installing other Web applications on the same IIS instance as Receiver Storefront could have security implications for the overall Receiver Storefront infrastructure.
• If you install Receiver Storefront on the same IIS instance as the Web Interface, you must re-enable any Web Interface sites that use the default locations. For more information, see http://support.citrix.com/article/CTX132294.
• In a production environment, Citrix recommends using HTTPS to secure communications between Receiver Storefront and users' devices. To use HTTPS, Receiver Storefront requires that the IIS instance hosting the authentication service and associated stores is configured for HTTPS. In the absence of the appropriate IIS configuration, Receiver Storefront uses HTTP for communications.
• Citrix recommends that you back up the resource subscription database regularly so that you can restore from the backup if the database fails.

 

======================

Deploying CloudGateway with Citrix Products and Components

Updated: 2012-12-03

CloudGateway includes the following components:

• AppController. AppController is a virtual machine available for both XenServer and VMware-based hosts that provides the central administrative point for configuration of enterprise Web, SaaS and mobile applications to be delivered to end users, with SSO federation and provisioning capabilities. AppController also supports ShareFile for delivery of data and documents to user devices from a central location. Users can connect directly to AppController from inside or outside the internal network.
• StoreFront. StoreFront delivers a secure, consistent, and unified app store to users that displays all of their authorized applications, whether Windows-based, mobile, Web or SaaS, on any device. StoreFront also delivers virtual desktops from XenDesktop. All apps, desktops, and ShareFile documents that users select "follow" them across any device they choose to use.
• Access Gateway. Access Gateway is a secure application access solution that provides administrators granular application-level control while empowering users with remote access from anywhere. It gives IT administrators a single point to manage access control and limit actions within sessions based on both user identity and the endpoint device, providing better application security, data protection, and compliance management.
• Receiver. Receiver is an easy-to-install client software that lets you access enterprise data, applications, and desktops from any computing device including smartphones, tablets, and computers. Working in tandem with a Citrix-enabled IT infrastructure, Receiver gives workers consistent, secure, high-performance access from any device without introducing layers of management complexity for IT.

You can deploy CloudGateway in the following scenarios:

• Providing access for your internal users.
• Providing access for your remote users.
• Integrating with your existing Web Interface deployment.
• Integrating with your existing StoreFront deployment.

Providing Access for Internal Users

In this scenario, you deploy AppController in your internal network. This CloudGateway deployment provides your internal users with SSO to Web and SaaS applications. It also provides access to documents from ShareFile and mobile applications. Access to applications is based on the users' role in Active Directory.

Access to data is provided by integrating ShareFile into AppController. CloudGateway automatically creates the accounts in ShareFile and provides access to the users based on their role. CloudGateway federates with ShareFile by using SAML and allows users SSO capability through Receiver.

Providing Access for Remote Users

In this scenario, you deploy AppController in your internal network. You also deploy Access Gateway 10 in the DMZ. User connections from outside the internal network connect to Access Gateway with Receiver. Access Gateway authenticates users. Based on the authentication status, the enterprise application store delivered by AppController provides access to resources depending on the users' role in Active Directory.

Integrating with the Web Interface

In this scenario, you add AppController and Access Gateway to your existing Web Interface deployment to allow users access to apps and documents in AppController as well as published applications and virtual desktops through Receiver. Users must log on with a version of Receiver that supports SSO only with Program Neighborhood Agent (PNA) services. To allow for remote access on Windows-based and Mac OS X computers, users must install the Access Gateway Plug-in on their device.

Integrating with StoreFront

In this scenario, you deploy AppController with StoreFront, which aggregates, controls, and provides internal users with access, not only to Web, SaaS, and mobile apps and data, but also to Windows-based applications delivered through XenApp and virtual desktops from XenDesktop. Users can connect from the internal network or a remote connection through Access Gateway.