Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Citrix ICA file signing

Using APM for XenApp with webtop publishing. The bigip proxies/rewrites the ICA file. If the requirement would be to configure clients to accept only signed ICA files from a trusted source.. any idea how to achieve that? Signing must be done from the BIGIP i assume and I cannot find any way to do it

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you deploy APM 11.4.1 HF2 or later, it supports using STA tokens, and thus can be used with ICA signing feature, as ICA file rewrite is not needed in this case. Here is how to do this:

Documentation notes for this feature:

  1. Prerequisites:
  2. Citrix Web Interface (WI) site working in Gateway Direct Mode and published via Citrix Access Gateway (AGEE)

  3. Configuring APM

  4. Virtual Server (VS) is configured to provide ICA Proxy functionality either via iApp or as described in here: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-citrix-integration-11-3-0.html
  5. Additional session variable named "session.citrix.sta_servers" must be added to the policy using the "Variable Assign" agent in Visual Policy Editor
  6. The value of "session.citrix.sta_servers" is the same as you would enter on Web Interface:

So the assignment will normally look like this:

session.citrix.sta_servers = return {http://mysta.company.com/scripts/ctxsta.dll}
  • If there is more than one STA server, the individual URLs are delimited by a semicolon
0
Comments on this Answer
Comment made 24-Jan-2014 by amolari 2665
I thought ICA file rewrite was always necessary (change of IP address from internal to VS)... The solution you describe is for when using WI servers and not publishing Apps on the APM webtop, right? No solution available if I do not want to use the WIs?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you don't use the WI, the APM generates ICA file on its own - it does not rewrite it at all. When using APM to replace WI, it does not leverage/support ICA signing.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

there is a RFE for ICA signing, when APM replaces WI (webtop publishing): Bug 357897 - [Citrix] Implement file signing for ICA files

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We are running F5 11.2.1 so could you please let me know how we can do sign the ICA file.

Our Problem is if we add the site as a trusted site then everything works but if we remove from there it stop working, Please suggest

0