Citrix – NetScaler VPN Portal Homepage – Storefront Refused Connection with X1 Theme

Summary
Your company use SSL VPN over Citrix NetScaler for the employees and customers . The employees/customers will get the VPN portal homepage displayed over NetScaler with configured X1 theme.
When you click the “Citrix Applications” link on the VPN portal homepage menu, the Citrix Receiver page from the configured session profile should be opened, but the Citrix Receiver page are become refused, when you using a Microsoft Edge Chromium browser.

Description
Citrix Storefront X-Frame-Options configuration refuse the HTTP request from the Microsoft Edge Chromium browser, when the request are open through the Citrix NetScaler VPN portal homepage with configured X1 theme.
Maybe you have already configured the X-Frame-Options like the Citrix article CTX202890, the frame-ancestors settings from the article, will not work in combination of Microsoft Egde Chromium browser and the X1 theme from Citrix NetScaler.
The frame-ancestors settings must be additionally supplemented with the FQDN from the Storefront server or the domain and top-level from your local environment. You can also work with wildcards on the frame-ancestors setting string. From my point of view, this is the easiest and most flexible solution, without reducing the security of the IIS or Microsoft Edge Chromium configuration.
In the developer tools from the Microsoft Egde Chromium you can catch the HTTP response, that displayed the refuse message.

Configuration of the web.config from Citrix Storefront
Open the web.config file from your affected Storefront Web Store (drive:/inetpub/wwwroot/citrix/storeweb) and search the statement “X-Frame-Options”. Add following string with your Storefront FQDN or top level domain to the frame-ancestors string, like the following screenshot.

frame-ancestors with Storefront FQDN configuration in the X-Frame-Options

frame-ancestors with wildcard domain and top level configuration in the X-Frame-Options

With the configured frame-ancestors in the X-Frame-Options, the Storefront Receiver page will be no longer refused.

Citrix – Microsoft Edge Chromium Prompt To Run nglauncher.exe (Citrix NetScaler Plugin)

Summary

Microsoft Edge prompt to run the nglauncher.exe (Citrix NetScaler Plugin) when you logon to the Citrix NetScaler Gateway with Citrix VPN configured.

Following the solution to configure Microsoft Edge Chromium.

Description

To figure out the required values for the configuration, the traffic between the Microsoft Edge Chromium and the Citrix NetScaler Gateway must be analyzed. In my environment, I analyzed the traffic with the Microsoft Edge Chromium Developer Tools. You can observe the call to start the nglauncher.exe in the HTTP header request of the Citrix NetScaler page.

The “Request URL:” part includes the desired configuration, for the further steps. You can configure the setting globally with GPO (Microsoft Edge Chromium ADMX ), or locally in the registry of the end user device.

GPO Configuration

Following GPO configuration must be created to bypass the Microsoft Edge Chromium prompt.

GPO Setting: Define a list of allowed URLs
GPO Setting Path: User Configuration\Policies\Administrative Templates\Microsoft Edge\
Value:citrixng://*


Registry Configuration

Following Registry configuration must be created to bypass the Microsoft Edge Chromium prompt.

Registry Hive: HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry Path: Software\Policies\Microsoft\Edge\URLAllowlist
Registry Value Name: {number} **
Registry Value Type: REG_SZ
Registry Value: citrixng://*

** The Value consists of a number, if an value already exists, the entry to be configured must have a sequence number.