Hello I have the following scenario. My citrix clients are connecting over F5 to a netscaler. Behind the netscaler is the whole environment with StoreFront 2.6 etc. The F5 is doing ssl offloading and reencryption. So far so good. Clients are able to connect to the NS and they can launch apps and iDesktops. As soon as I am enabling a http profile the nightmare starts. According to the documentation I tried several settings but didn't get it running with inspection. Does anybody know how to get this up and running

What exactly are you trying to do, and can you post a link to the documentation you are using?

I am using the F5 deployment guide http://www.f5.com/pdf/deployment-guides/citrix-vdi-iapp-dg.pdf?bcsi_scan_B807F83D805DA17C=wXVWvS7ZvdATiOtvH26PodLFLF4wAAAAAHaTCw==&bcsi_scan_filename=citrix-vdi-iapp-dg.pdf I tried setting it up with the iApp and without. As soon as I enable a http profile on my virtual host which is pointing to the citrix netscaler (10.5 build 51.10) my citrix client is no longer able to connect to an app or idesktop. I need to do inspection on that setup.

Any error messages, any more detail please? Have you done a tcpdump on the F5 to take a closer look at what's happening?

I did a tcpdump on the connection but didn't see any obvious indication but to be honest I am not an expert in reading dumps. The error behavior when the http profile is enabled when launching the app is that a citrix window opens indicating the app is starting, this stays until a timeout occurs and it closes with contact your administrator.

My citrix environment is using following releases: citrix xen desktop 7.6 NetScaler is NS 10.5 Build 51.10 Storefront 2.6

LTM 11.4.1 forwarding to Netscaler 10.5 with ssl offloading and inspection

13 Replies

Ed_Summers
Nimbostratus
Jan 16, 2015
What exactly are you trying to do, and can you post a link to the documentation you are using?
Stefan_Hill
Nimbostratus
Jan 19, 2015
I am using the F5 deployment guide http://www.f5.com/pdf/deployment-guides/citrix-vdi-iapp-dg.pdf?bcsi_scan_B807F83D805DA17C=wXVWvS7ZvdATiOtvH26PodLFLF4wAAAAAHaTCw==&bcsi_scan_filename=citrix-vdi-iapp-dg.pdf I tried setting it up with the iApp and without. As soon as I enable a http profile on my virtual host which is pointing to the citrix netscaler (10.5 build 51.10) my citrix client is no longer able to connect to an app or idesktop. I need to do inspection on that setup.
What_Lies_Bene1
Cirrostratus
Jan 20, 2015
Any error messages, any more detail please?

Have you done a tcpdump on the F5 to take a closer look at what's happening?
Stefan_Hill
Nimbostratus
Jan 22, 2015
I did a tcpdump on the connection but didn't see any obvious indication but to be honest I am not an expert in reading dumps. The error behavior when the http profile is enabled when launching the app is that a citrix window opens indicating the app is starting, this stays until a timeout occurs and it closes with contact your administrator.
- Stefan_Hill
  Nimbostratus
  Jan 22, 2015
  My citrix environment is using following releases: citrix xen desktop 7.6 NetScaler is NS 10.5 Build 51.10 Storefront 2.6
- What_Lies_Bene1
  Cirrostratus
  Jan 26, 2015
  Hmmm. Why the http profile at all, just out of interest? Also, is this a standard VS or something else, like FastL4?
- StephanManthey
  MVP
  Jan 26, 2015
  Is there anything logged to /var/log/ltm?
Stefan_Hill
Nimbostratus
Jan 27, 2015
The http profile is needed for the inspection. The aim is to attach a security policy to the VS. Regarding the type of VS, yes it is a standard VS.
Stefan_Hill
Nimbostratus
Jan 27, 2015
Regarding /var/log/ltm nothing obvious to see in the log file.
StephanManthey
MVP
Jan 27, 2015
Hi Stefan,
as WLB already recommended, a TCPDUMP may help to find out the issue:
tcpdump -nnni 0.0:nnnp -s 0 -w /shared/issue.cap host

It will trace all client- and serverside traffic initiated by your client.
The tcpdump syntax above is adding the so called "F5 Ethernet Trailer" data (the "nnn"-flag in the interface definition) to your raw dump file /shared/issue.cap and contains as well the related traffic on "peer" side (server side; triggered by the "p"-flag in the interface definition).
Description of and required WireShark plugin to decode the trailer data can be found here on DevCentral.
Thanks, Stephan
Stefan_Hill
Nimbostratus
Jan 27, 2015
I did the tcpdump in the past with tcpdump -ni vlanxxx:nnnp -s0 -c 100000 -w /var/tmp/sh_netscaler_050115.cap host x.x.x.x decrypted it in wireshark with a pms file....and gave it to F5 support.
- mark_06_140158
  Nimbostratus
  Feb 16, 2015
  Hi WE had a similar issue. The process starts with HTTPS to give users a list of avaialble apps/ desktops. IT then delivers an appropriate ICA file to the client over https. All works fine as the http filter understands the traffic. When the user opens the app the citrix receiver (client) then iniitiates ICA over SSL. This ICA traffic is not understood by the HTTP filter, hence it breaks. I am trying to find out how to configure the LTM to distinguish whether the decrypted traffic is HTTP or ICA and then ONLY apply the HTTP filter to the coorect stream. Any ideas?
DavidStovall_22
Nimbostratus
Oct 14, 2015
Did you ever find resolution? I am trying to setup NetScaler behind f5 as well - similar environment to what you describe. Did you get it to work?

Forum Discussion

LTM 11.4.1 forwarding to Netscaler 10.5 with ssl offloading and inspection

13 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Lightboard Lesson: Perfect Forward Secrecy Inspection Visibility

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

AFM Protocol Inspection rules for CVE-2022-3602 (aka SpookySSL)

Unsupported Snort Keywords in Protocol Inspection

Inspecting HTTP LB traffic for security