Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Support for 2 different Citrix farms on one Virtual Server

Hi All,

We are currently using a BIG-IP APM device to allow external access to our XenApp 6.0 farm with Web Interface. Basically, we are using the BIG-IP as a NetScaler replacement.

We are in the process of trying to roll out a XenDesktop 7.8 implementation using Store Front. My problem comes with trying to support both environments using a single Virtual Server.

Right now, we have an SSO form and a iRule in place for the 6.0/Web Interface farm. The SSO Configuration is applied to the Access Policy and the iRule is applied to the Virtual Server. This is problematic, since I can't think of a way to provide support for both environments at the same time. I can either support one or the other by changing the SSO Configuration and the iRule, but applying the set for the 6.0 Farm breaks the 7.8 farm and vice-versa.

What I am trying to determine is if there is any other way to apply the SSO Configuration and the iRule based on a user's role, rather than at the VS and Access Policy level.

In my access policy I do a AD group membership check for a group called "XEN 7 Users". If my user is in that group, I can then assign them some SSO credentials and the StoreFront Pool. If they are not in the "XEN 7 Users" group, they get assigned SSO credentials and the Web Interface pool. However, if they are in the "XEN 7 Users" group, but the SSO config and IRule for the Web Interface are in place they can't access the Store Front servers.

Is there some way I could assign SSO configurations and iRules based on the user's role, rather than to the Access Policy and Virtual Server? I am looking to get a little more granular.

Thanks, I hope this was clear.

-John

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

in principle you should be able to handle both cases in one irule if the irule can take the chosen group into account. you can trigger an irule event and irules can look into APM variables.

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_irules.html#122471

the correct SSO profile can be selected from that iRule

https://devcentral.f5.com/wiki/iRules.WEBSSO__select.ashx

0
Comments on this Answer
Comment made 27-Sep-2016 by John T. Morgan 110

Really appreciate the answer. I've been busy since posting this.

I think I am on the right track now.

I have created the following iRule which I am about to test:

when ACCESS_ACL_ALLOWED {
  #Next 2 custom lines plus closing brace to only run iRule if variable assign set in policy on Citrix user branch
  set citrixuser [ACCESS::session data get session.custom.citrixuser]

  if { ($citrixuser equals "1") } {
    set type [ACCESS::session data get session.client.type]
    if { !($type starts_with "citrix") } {
        WEBSSO::select /Common/WebInterface_SSO_Config}
        if { [HTTP::uri] == "/" } {
           ACCESS::respond 302 Location "https://[HTTP::host]/Citrix/XenApp/"
        }
    }

  if { ($citrixuser equals "2") } {
    set type [ACCESS::session data get session.client.type]
    if { !($type starts_with "citrix") } {
        WEBSSO::select /Common/StoreFront_SSO}
        if { [HTTP::uri] == "/" } {
           ACCESS::respond 302 Location "https://[HTTP::host]/Citrix/Citrix-ProdWeb/"
        }
    }
}

Basically my idea is to assign a variable called "session.custom.citrixuser" and set it to either "1" or "2" depending on which farm I want them to go to (which would be determined by AD group membership), then use WEBSSO to assign the correct SSO form, then send them off to the appropriate URI.

I think that should take care of what I want, but I really have no idea about iRules, so this should be interesting! :-)

0
Comment made 27-Sep-2016 by boneyard 5579

without actually trying it looks good and does what i had in my head, if it doesn't work be sure to report back and explain what doesn't work. certainly people can help.

0
Comment made 27-Sep-2016 by John T. Morgan 110

Actually, in my test environment it seems to be working fine.

I only have one Citrix farm in my lab, so I just directed the 302 redirect to a bad url on one branch and it goes there when the variable is set to "1", and goes to the correct URL when the variable is set to "2".

Next thing is to build up a WI site to make sure everything works the whole way through.

I appreciate the response and the feedback.

I'm a happy boy right now. I can actually begin an incremental roll out of the New Citrix farm which was not possible before. It was going to be all or nothing.

0