F5 LTM and Citrix Secure Gateway

Question

I have a couple of CSG/WI servers that I need to load balance through the F5 LTM.  I've been told I'm not able to place the SSL certificate for the CSGs on the LTM, even if its configured to perform SSL-to-SSL bridging.&nbsp;
&nbsp;That being said, are there any other caveats that I need to be aware of when setting up the configuration?  Or is it as straight forward as:&nbsp;
&nbsp;Create nodes.
&nbsp;Create pool.
&nbsp;Create virtual servers.&nbsp;
&nbsp;HTTPS is pretty simple.  I'm more worried about Citrix's proprietary ICA protocol.&nbsp;
&nbsp;Any guidance will be greatly appreciated.&nbsp;
&nbsp;I'm running BIG-IP 10.2.0 Build 1707.0 Final (yes I know it's old but the last time I checked with support about upgrading, they recommending waiting).&nbsp;

garyz_31658 · Answer

Gerald, 
&nbsp;  
&nbsp; What version of Citrix are you running? 
&nbsp; Do you want to replace CSG? 
&nbsp;  
&nbsp; We have a complete solution around delivering ICA to clients including Receiver Clients. There are several customers that have this solution in production today. Some deployments use F5 in front of WebInterface Server while others choose to completely replace WI and let F5 work directly with XML Broker. 
&nbsp;  
&nbsp; I would need to understand your requirements a little better to give you more detailed guidance. We also have some good reading material on www.f5.com (deployment guides etc...). 
&nbsp;  
&nbsp; Point your browser to: http://www.f5.com/citrix 
&nbsp;  
&nbsp; As far as upgrading... Version 11 has been in production release for almost a full year. Version 11.2 is the current supported release and I am not aware of any stability issues. Also, there have been some significant Citrix specific enhancements built into Version 11 that you may want to take advantage of.

gerald_g__young · Answer

I have CSG 3.3 and WI 5.4 colocated on two servers.  These servers will talk to some backend XenApp 6.5 boxes. &nbsp;
&nbsp; I need to configure a VS on our F5 to load balance client traffic destined to the CSG boxes.  This traffic uses 443. &nbsp;
&nbsp; I'm looking for any caveats in load balancing the CSGs. &nbsp;
&nbsp; Thanks again.

michael_koyfma1 · Answer

As long as you setup source-IP based persistence, you should be just fine.

gerald_g__young · Answer

Michael, 
&nbsp;  
&nbsp; Thanks.  That did the trick (as well as disabling Nagle on the client profile).

brad_11480 · Answer

Just would like to confirm what I seem to understand on this discussion of putting the LTM in front of the (old) citrix secure gateways.  You said "  I've been told I'm not able to place the SSL certificate for the CSGs on the LTM, even if its configured to perform SSL-to-SSL bridging."&nbsp;
Does this mean that you simply set the LTM to Layer 4 to the pool of Citrix Secure Gateway servers?   That is, the F5 LTM cannot terminate the SSL.&nbsp;
I have tried to setup with the F5 terminating the SSL. The Web Interface works fine, but it seems I cannot launch any applications (ICA) from the menu.&nbsp;
We have to get rid of these old servers, but until then we have an expiring certificate and I was hoping I  could terminate on the LTM with our wildcard.  Perhaps not!&nbsp;
Thanks in advance for any detail on this setup.  &nbsp;

Forum Discussion

F5 LTM and Citrix Secure Gateway

7 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Solution for Citrix Optimal Gateway Routing

API Gateway Mapping - Gartner - F5

Resolve Citrix Secure Ticket Authority (STA)

Security First, Performance Always: How F5 Drives Citrix VDI Excellence in Application Delivery

Extract Citrix Secure Ticket Authority (STA)