F5 APM citrix receiver plugin detection and authentication pass thru

Question

Hello,&nbsp;
We have configured the F5 APM v11.5.1 using the latest iapp f5.citrix_vdi.v2.2.0, authenticating clients to StoreFront v2.5 servers.  Everything works great.  Now we need to make a change to the policy so that users on the internal network do not get prompted for their credentials.  So instead of the login prompt, we need to collect the users SSO info from the citrix receiver plugin or citrix receiver client and pass that to the SF servers.&nbsp;
I am not sure how quite to accomplish this, but I see a possibility in the access policy to create an ACL decision box based on the client private ip space to bypass the login page and AD authentication.  However, how I would then get the SSO info from the receiver is the big mystery to me.&nbsp;

michael_koyfma1 · Answer

I would really suggest to setup two different virtual servers for this scenario - that would be the most robust and efficient method to achieve this setup, especially if you do not need ICA proxy for your internal users. You can then use split DNS to send users from each location to the right virtual server.

bob_vance_75936 · Answer

Thanks Michael. However we still need the ICA proxy feature for internal access and we're trying to keep the changes for the client to a minimum. Even though the Netscaler can do this, I'm not entirely sure getting the SSO info from the citrix receiver is even possible using the F5. Still researching though....

michael_koyfma1 · Answer

I see.  In that case, your request is a valid use case.  Unfortunately, it's not very easy to implement - but I do know that F5 Professional Services did that for a few customers.  I know what it involves in general, and it can be a bit complex - so I would suggest leveraging F5 Professional Services for this if possible to achieve the best result.  Else I can try to dig for more details and post them when I find them.

michael_koyfma1 · Answer

Bob,
As I said, it's not very straight-forwarded.  I have dug into it, and I have bits and pieces, but, unfortunately, don't have the entire setup.  In essence, you'd need to:
Modify Access Policy to not perform Logon Page/authentication for clients coming in from certain IP addressesStore a special config.xml file on the BIG-IP to be returned to the Receiver clients on the local network trying to connect to Storefront
The iRule would look something like this:
when HTTP_REQUEST {
if { [HTTP::uri] contains "/Citrix/PNAgent/config.xml" } {
            HTTP::respond 200 content [ ifile get configXML ]
    } 
}
Of course, you would need to enhance the IF statement to check for the source IP address of the LAN IP space.  
then you'd have to also create an iFile named configXML that has something like this below.  You'd want to replace myapps.company.com with the FQDN name of your BIG-IP Virtual Server:

true

false

true

replace
        replace

http://myapps.company.com/Citrix/PNAgent/config.xml
        
            false
            false
            
                false
                8

http://myapps.company.com/Citrix/PNAgent/enum.aspx
            https://myapps.company.com/Citrix/PNAgent/smartcard_enum.aspx
            http://myapps.company.com/Citrix/PNAgent/integrated_enum.aspx
            
                true
                true
                
                    true
                    6

http://myapps.company.com/Citrix/PNAgent/launch.aspx
            https://myapps.company.com/Citrix/PNAgent/smartcard_launch.aspx
            http://myapps.company.com/Citrix/PNAgent/integrated_launch.aspx

http://myapps.company.com/Citrix/PNAgent/reconnect.aspx
            https://myapps.company.com/Citrix/PNAgent/smartcard_reconnect.aspx
            http://myapps.company.com/Citrix/PNAgent/integrated_reconnect.aspx

http://myapps.company.com/Citrix/PNAgent/change_password.aspx

http://myapps.company.com/Citrix/PNAgent/desktopControl.aspx
            https://myapps.company.com/Citrix/PNAgent/smartcard_desktopControl.aspx
            http://myapps.company.com/Citrix/PNAgent/integrated_desktopControl.aspx

sson
        false
        false
        false
        false

false

Never
        Direct-With-Fallback

true
        true
        false
        true

true
            true

false
        false
        true

seamless
                fullscreen
                
                    640
                    480

800
                    600

1024
                    768

1280
                    1024

1600
                    1200

1
            2
            4
            8

high
            medium
            low
            off

local
            remote
            fullscreenonly

false

RemoteStreaming

Forum Discussion

F5 APM citrix receiver plugin detection and authentication pass thru

4 Replies

Recent Discussions

Citrix XenServer Big-IP Upgrade help

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

BWC iRule

Can iRule be used to perform exception of IPI category based on Geolocation

help irules for compatibilty

Related Content

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Global Log Receiver

Doing mTLS Authentication per URL

Proxy Protocol Receiver