Hide StoreFront Stores


Many costumers provide multiple NetScaler Gateway portals and according StoreFront Stores.
When enrolling a new account in Citrix Receiver using the NetScaler Gateway FQDN, it prompts users to select according StoreFront Store, which might be confusing for users, especially if you have many Stores.
If you only want to use the enrollment by providing the Citrix Receiver configuration file, you can stop reading, as it already contains the assignment to corresponding store J
To hide a Store you can do so using StoreFront management console, but this disables advertisement completely. I would like to only offer the Store corresponding to the NetScaler Gateway and not all other Stores.
The solution we thought of requires NetScaler to be configured as a Load Balancer for StoreFront Servers and is very similar to following very good blog post: https://www.citrix.com/blogs/2013/11/18/hiding-xaxd-applications-by-using-netscaler-rewriting-functionalities/

StoreFront advertisement of Stores

When doing a trace on the NetScaler of the enrollment process of the Citrix Receiver and decrypt SSL traffic, you can find following packet. In this example the response from StoreFront advertises two stores, Store1 and Store2.

Rewrite XML

Each store is specified in the <name>…</name> tag within an xml bock delimited by the tag <account> … </account>
In this example you have to create a Rewrite Policy per Store you want to hide.

Create Rewrite Action

In the NetScaler management GUI go to AppExpert -> Rewrite -> Actions and click on Add. Fill out the Rewrite Action with the following parameters:

  • Name: (you can choose what you want)
    • rewact_res_hide-Store1
  • Type: (specifies what the rewrite action will do)
  • Expression to choose target location: selects the length of the Body of the HTTP response
    • HTTP.RES.BODY(10000)
  • Pattern: (search for the Store you want to hide)
    • >Store2<
  • Refine Search: (extent the selection up to 70 characters to the left, until </account> is found and up to 1000 characters to the right, until </account> is found)
    • EXTEND(70,1000).REGEX_SELECT(re#\s*<account>.*\s*<\/account>#)


Create Rewrite Policy

Go to AppExpert -> Rewrite -> Policies and click on Add. Fill out the Rewrite Policy with the following parameters:

  • Name: (you can choose what you want)
    • rewpol_res_hide-Store1
  •  Action: (select previously created Rewrite Action)
    • rewact_res_hide-Store1
  •  Expression: (the policy hits when the expression evaluates to true)
    • HTTP.RES.BODY(1000).CONTAINS(“accounts”)


Bind Policy to Load Balancing vServer of StoreFront

  • Open the vServer
  • Go into Policies -> Rewrite -> Response
  • Click on “Insert Policy
  • Specify the Policy Name
  • At “Goto Expression” select NEXT or END depending if this policy is the last one or not.


Possible improvements

I think there are several ways to improve this idea. Just some suggestions:

  • Find a rewrite Policy which deletes all but one Store
  • Develop a more granular expression for the rewrite policy, depending on which NetScaler Gateway you use.

If you have any suggestions, they are most certainly welcome.