Implementing Citrix

Question

We are currently publishing Citrix through our aging Firepass and we are looking for a way to publish it through the Big-IP. I know a lot of you are going to say, "Hey, use the iApp" but there are some caveats to our implementation.&nbsp;
We use F5 to deliver our applications to our field repair technician's who are usually in hospitals. Some of you may know the security in hospitals is a really big deal. Getting them to open exceptions for Citrix is next to impossible. One of the neat things about our Firepass is how closely it integrated with Citrix. All our users had to do was click a button after logging in and the Firepass would open an app tunnel connect to Citrix AND open the ICA file.&nbsp;
I'm able to publish Citrix using an AppTunnel but the process isn't seamless and the users have to jump through some hoops to get their app(s) started. I tried using the iApp to publish Citrix, APM displayed the apps directly on the portal page which was nice, that integration is a requirement from our users. It seems though the iApp doesn't do anything with AppTunnels (or maybe I missed it) and the users end up trying to hit the external IPs of the Citrix farm. This creates a problem because we can't get the hospitals they are stationed at to open any exceptions for them to access Citrix.&nbsp;
Am I missing something with the iApp? Is there a way to create these AppTunnels in the background for using to Citrix bypass these security constraints?&nbsp;

michael_koyfma1 · Answer

Bradmin,&nbsp;
Our APM solution leverages Citrix ICA proxy technology, which is much more flexible and extensible than AppTunnels.  The communication happens on port 443(SSL) - just like AppTunnels - except that you're not required to leverage any client-side components other than Citrix Receiver.  If you are using the latest iApp, and APM is presenting the resources for you, clients should be attempting to establish an SSL connection to the same IP address as your APM webtop is on and tunnel ICA traffic.  Is that not happening?&nbsp;

bradmin_132240 · Answer

Last time we published it through the iApp, it looked like the web traffic was tunneled through but the ICA traffic was resolving to outside addresses.&nbsp;
I need to look into the Citrix ICA proxy. I'll keep everyone posted on what I find! =)&nbsp;

joshbecigneul · Answer

Make sure you use the latest iApp for Citrix from downloads.f5.com. You also must ensure that you set the iApp to proxy the traffic and replace the role of Citrix secure gateway. APM will properly patch the ICA file delivered to the client AND proxy the traffic without needing app tunnels or any other client side application other than Citrix Receiver. I believe the iApp shipped with TMOS is designed to work with secure gateways or other products.&nbsp;
We run several hundred clients this way for several different farms, and it has worked out great.&nbsp;

hamish · Answer

I looked at the iApp, and the whitepaper describing how the solution works, and then implemented it by hand myself. (I find it better to understand how it all hangs together because when it doesn't work, there's not a lot of logging happening to tell you WHY).&nbsp;
I also use direct to XMLBroker communications rather than utilising a web interface server. Although we have found a few funnies with the (Old &amp; unsupported) version of Citrix in use at some sites&nbsp;
When you go direct to XMLBroker, the APM doesn't patch the .ica file. It actually generates one. Most of the smarts is actually done in javascript on the browser itself. The XML response that comes back from starting an app is passed BACK to APM from the browser, and the APM then generates and returns an ICA file. You can over-ride whatever you like in that generated ICA file. &nbsp;
One thing I have noticed is when a client is behind a proxy that the ProxyType=Auto seems to be ignored by the Citrix Reciever... Not sure why yet, but that's the only real issue I have at the moment.&nbsp;
Note that you really want to be at least 11.2.1HF6 as well. There's a few annoying bugs fixed around order of loading icons etc. I'm hoping for some optimisation in the realm of icon loading in the future too (Currently the javascript loads the icons one at a time rather than grabbing ALL the icons at once. That puts a lot of load on the XMLBrokers as being POST methods you can't really cache them). &nbsp;
Apart from that it's quite solid. I could wish for better logging, but at least you can raise your own events in the VPE and logs from there.&nbsp;
H&nbsp;

michael_koyfma1 · Answer

If the client is behind a proxy, then sometimes I've seen the need to add two lines to the Customer Parameters section of the Citrix resource definition on the APM so that these two parameters are sent as part of the ICA file:&nbsp;
ProxyUseFQDN=On&nbsp;
ProxyType=Auto&nbsp;
Also, good things come to those who wait - version 11.4 and above brings fantastic debugging capabilities to our VDI subsystem that includes Citrix.  If you want to debug Citrix issues in version 11.4 or higher, just turn up debugging for VDI by running the following command from the BIG-IP CLI:&nbsp;
tmsh modify sys db log.vdi.level value debug&nbsp;
And you should seen plenty of relevant information in /var/log/apm log file.  Don't forget to set it back to notice after the troubleshooting is done:&nbsp;
tmsh modify sys db log.vdi.level value notice&nbsp;

Forum Discussion

Implementing Citrix

7 Replies

Recent Discussions

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

CORS implementation

Multi-Stores Citrix environment BIG-IP APM

Implementing SSL Orchestrator with OPSWAT MetaDefender

Implementing basic OAuth with F5 BIG-IP APM

API Security: How to implement API Access Control with F5