Citrix ICA file signing

Question

Using APM for XenApp with webtop publishing. The bigip proxies/rewrites the ICA file.
If the requirement would be to configure clients to accept only signed ICA files from a trusted source.. any idea how to achieve that? Signing must be done from the BIGIP i assume and I cannot find any way to do it&nbsp;

michael_koyfma1 · Answer

If you deploy APM 11.4.1 HF2 or later, it supports using STA tokens, and thus can be used with ICA signing feature, as ICA file rewrite is not needed in this case. Here is how to do this:
Documentation notes for this feature:
Prerequisites:
Citrix Web Interface (WI) site working in Gateway Direct Mode and published via Citrix Access Gateway (AGEE)

Configuring APM
Virtual Server (VS) is configured to provide ICA Proxy functionality either via iApp or as described in here: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-citrix-integration-11-3-0.htmlAdditional session variable named "session.citrix.sta_servers" must be added to the policy using the "Variable Assign" agent in Visual Policy EditorThe value of "session.citrix.sta_servers" is the same as you would enter on Web Interface:
So the assignment will normally look like this:
session.citrix.sta_servers = return {http://mysta.company.com/scripts/ctxsta.dll}

If there is more than one STA server, the individual URLs are delimited by a semicolon

michael_koyfman · Answer

If you deploy APM 11.4.1 HF2 or later, it supports using STA tokens, and thus can be used with ICA signing feature, as ICA file rewrite is not needed in this case. Here is how to do this:
Documentation notes for this feature:
Prerequisites:
Citrix Web Interface (WI) site working in Gateway Direct Mode and published via Citrix Access Gateway (AGEE)

Configuring APM
Virtual Server (VS) is configured to provide ICA Proxy functionality either via iApp or as described in here: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-citrix-integration-11-3-0.htmlAdditional session variable named "session.citrix.sta_servers" must be added to the policy using the "Variable Assign" agent in Visual Policy EditorThe value of "session.citrix.sta_servers" is the same as you would enter on Web Interface:
So the assignment will normally look like this:
session.citrix.sta_servers = return {http://mysta.company.com/scripts/ctxsta.dll}

If there is more than one STA server, the individual URLs are delimited by a semicolon

amolari · Answer

I thought ICA file rewrite was always necessary (change of IP address from internal to VS)...
The solution you describe is for when using WI servers and not publishing Apps on the APM webtop, right? No solution available if I do not want to use the WIs?

amolari · Answer

I thought ICA file rewrite was always necessary (change of IP address from internal to VS)...
The solution you describe is for when using WI servers and not publishing Apps on the APM webtop, right? No solution available if I do not want to use the WIs?

michael_koyfma1 · Answer

If you don't use the WI, the APM generates ICA file on its own - it does not rewrite it at all.  When using APM to replace WI, it does not leverage/support ICA signing.&nbsp;

Forum Discussion

Citrix ICA file signing

7 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

POC: Create and sign a JWT with iRule

Multi-Stores Citrix environment BIG-IP APM

Solution for Citrix Optimal Gateway Routing

AS3 signed rpms

CSV to Address External Datagroup File