We currently have a setup which we need to migrate from Firepass to F5 Big IP APM. We run firmware version 11.4.1. Our Big IP units are configured in an Active/Standby configuration. The units are only licensed and provisioned for Access Policy (APM) and Application Visibility and Reporting (AVR) modules.
Our end users consist out of managed systems which make use of SSL full network access and RDP desktop access through the portal. We also support RDP and Citrix Xenapp remote desktop access from non managed systems. The end-users of non managed systems use web browser for remote access. We make use of Xenapp 6.
For authentication we make use of client certificates. We use a software based PKI solution which provides clients with a temporary X509 certificate if two factor authentications succeeds. We use these certificates to authenticate the clients. Only clients with a valid certificate are allowed to establish a remote access session. An end-user does not need to provide its credentials on the portal but is logged on based on the information in the certificates.
We extract the username from the certificate and use that username to retrieve ADS group membership of the end-users Active Directory account of that end user and assign resources based on their group membership.
In the Firepass configuration a user can end up with resources to establish a full network connection, RDP as well as Citrix published application access.
I have now built above configuration on the Big IP unit so that end-users can be provided with network resources as well as RDP desktops on a single webtop.
I do have some questions in regards on how to integrate the Citrix published apps however. The clients will access Citrix desktop are used from
My questions are as follows:
1) Is Xenapp 6 supported by Big IP APM 11.4.1?
2) How we can best integrate Citrix resources to our Big IP setup given the fact that we only have the Access Policy (APM) and no LTM provisioned?
3) Does Integrating APM with a Citrix Web Interface Site work in this case as well as Integrating APM with Citrix XML Brokers work?
4) Two factor authentication already has been performed by the end-user before the end-user connects to the VPN portal, to obtain the client certificate. The VPN appliances do not know the end-users password once he is logged on. I guess we need to an additional logon page which requests for the logon credentials for Citrix web interface or XML brokers integration. Or is there some other way we can present published Citrix apps and the end user can provide the password later once he starts the published app?
5) Is it on Big IP APM possible to configure a single published Citrix application instead of integration the Citrix web interface or XML brokers just like you could on firepass? This would be sufficient for us since end-users from non managed systems only need access to the full desktop.
6) Where can I find more information regarding the usage of custom parameters for Remote Desktops on Big IP APM?
iApps related to Citrix all require LTM as a required provisioned module so I guess we need to manually configure the Big IP units.
Have you tried just configure full webtop with a portal in apm with http://hostname/Citrix/XenApp/auth/login.aspx ?