NimbostratusIs there a field to enter the NAT address for the BIG IP APM? Are we supposed to have the APM behind our firewall?
Is your virtual server using source persistence? If not, use source persistence and see if the problem continues.
It is not necessary to have APM behind your firewall since BIG-IP is network firewall ICSA certified, however, some customers choose to do so and also create a network address translation for the address view clients connect. For this case their is a question in the iApp, "If external clients use a network translated address to access View, what is the public-facing IP address?", that is used so apm knows what IP address to place in the PCoIP token issued to the view client to establish their PCoIP session. Without this the PCoIP token would contain the APM VS address rather then the outside translated address (which translates to the APM VS address) used by clients.
NimbostratusThanks Greg, I saw the location for the public-facing address, I just don't see a field for the NAT (DMZ) address behind the firewall.
NimbostratusNimbostratusGreg,
I finally got everything squared away with setting up the F5 LTM, but it appears as though when I add a second node our ASA firewall is detecting an asymmetric route and dropping the connection. When I use either Security server in the Pool the LTM setup works. If I have both nodes in the pool, then I get disconnected directly after authentication and choosing a desktop.
Is your virtual server using source persistence? If not, use source persistence and see if the problem continues.
NimbostratusGreg,
After changing the persistence profile to the source address the connections are being established correctly. I will keep the changes to see if there are any issues, but that appears to be the correct setting.
Lesson learned, don't use "F5's recommended persistence profile"!!!!
