1. Authentication service: This service, which is an integral part of StoreFront, authenticates users to XenDesktop and XenApp farms.

2. Store: The store retrieves user credentials from the authentication service and provides resources to the to authenticated users. The store also enumerates and aggregates the resources currently available from XenDesktop and XenApp farms. Users access the store through Citrix Receiver or a Receiver for Web site.

3. Application Subscription Store (Data Store): This store saves and indexes the application or desktop subscriptions of the users on a per-StoreFront Store basis. In contrast to older versions of StoreFront, where an external Microsoft SQL database was required, the new Application Subscription Store uses the built-in Microsoft Windows Extensible Storage Engine to store details of users’ app subscriptions locally on StoreFront servers. When joining a StoreFront server to a StoreFront Server Group the replication of data between all members is configured automatically.

4. Receiver for Web site: This site enables users to access stores through a webpage. It verifies the Receiver version installed locally on the client computer and guide the user through an upgrade or installation procedure if required. If Receiver cannot be installed locally, Receiver for HTML5 can be enabled for the Receiver for Web sites so that users can access resources directly within HTML5-compatible web browsers.

​Citrix Receiver uses beacon points (web sites) to identify whether a user is connected to an internal or external network. Internal users are connected directly to resources while external users are connected via Citrix NetScaler Gateway. Citrix Receiver continuously monitors the status of network connections. When a status change is detected, Citrix Receiver will first check that the internal beacon points can be accessed before moving on to check the accessibility of external beacon points. StoreFront provides Citrix Receiver with the http(s) addresses of the beacon points during the initial connection process and provides updates as necessary

In the above picture, the StoreFront resides in the secure, internal network. NetScaler Gateway is installed in the DMZ and authenticates user requests before sending the requests to the StoreFront. The StoreFront does not perform authentication, but interacts with the STA and generates an ICA file to ensure that ICA traffic is routed through NetScaler Gateway to the proper server. For small installations this is the default deployment scenario important note: When the StoreFront is located in the secure network, authentication should be enabled on NetScaler Gateway, otherwise unauthenticated HTTP requests are sent directly to the server running the StoreFront. Disabling authentication on NetScaler Gateway is recommended only when the StoreFront is in the DMZ and users connect directly to the StoreFront

Refer this for Load Balancing the Citrix StroreFront