APM and Citrix

Question

Hello all,
I really would like to understand how a Citrix environment works with the APM module, the benefits of it and what it would accomplish in my environment. I've read documentation from F5 (and youtube videos) and it either shows how to set it up, basic instructions, but no where have I seen it give a nice in depth overview etc. Can someone please help me out?&nbsp;
I currently have F5 in a test environment (with APM license) and thinking of introducing our production Citrix environment to run through. So I setup a test environment and successfully have Citrix running through it. I setup the external test url, the test site in the web interface server, new test iis website, and I used the latest the Citrix template that created the vip's in the F5 (citrix webui,citrix_xmlb_serverenum). I can now connect to our production Citrix farm from externally with this new test environment.&nbsp;
What I need to understand more clearly is how the APM would it benefit in my environment. In production currently, I have external citrix clients authenticating through a web interface server and the xml brokers handling the apps. Were not using secure or access gateway, nor do we need clients to access vpn to access the apps. The remote clients are authenticated by the citrix web interface server (via Active Directory), the wi then contacts the xml broker to see what the authenticated client has access too, the wi server then presents the client the ica connection with the apps approved. The client then makes a direct connection with the xml brokers (app farm) from that moment on. It is currently setup as alternate Secure Access in the Citrix Web Interface Management. Clients receive an external IP address from app server to client. So I have many static nats on the firewall that are directly connected from internal citrix app servers to outside IP's for the connections.&nbsp;
My goal, if possible is to eliminate the current (inside,outside) nats and have only one nat (citrix.domain.com) and all external clients will only use that for authenticating and application access.&nbsp;
Without using the APM module why couldn't I just repoint the NAT rules from (Outside to Inside) to (Outside to F5 to Inside), and all is the same, correct? Thanks for taking your time to explain since this is all new to me.&nbsp;
Also, if the application servers in the farm are now currently communicating with the external clients via these direct static nats, where in the citrix environment are those settings that determine that?&nbsp;
Thanks a lot and I look forward to your answers.&nbsp;

kevin_stewart · Answer

Without using the APM module why couldn't I just repoint the NAT rules from (Outside to Inside) to (Outside to F5 to Inside), and all is the same, correct? &nbsp;

You absolutely could continue to do this on an LTM, or you could create VIPs for each instance. But here's what APM gives you:&nbsp;

The ability to replace secure/access gateway. I understand you're not using one now, but this would also eliminate the need for multiple NATs.&nbsp;

The ability to replace the web interface. APM can deliver the XenApp icons, XenDesktop icons, and also RDP, VM View, portal resources, SSLVPNs, and links all on a single "webtop". You don't have to replace web interface, but it's a pretty cool capability. if you replace the web interface and gateway functions, all traffic (web and ica) can exist on a single port 443 vip.

The ability to replace secure ticketing. Again, this doesn't affect you because you're not using a gateway, but it's an additional layer of security that provides, among other things, a time-sensitive ticket. APM doesn't have to, but can absolutely replace this function.

You can effectively remove everything but the xml brokers and app servers from your citrix farm. &nbsp;

tolinrome_13817 · Answer

Hi Kevin,
Great points, thank you. How can I, (in my current test environment), set it up where I can bypass the web interface, not use a nat, (not sure what a gateway function is) and have all web and ica traffic on one port? So the only real nat I would need is the one for citrix.domain.com to the F5 APM?&nbsp;
Really, its the eliminating of the nats I'm looking to accomplish. Thanks.&nbsp;

kevin_stewart · Answer

In the absence of a gateway (access gateway, secure gateway, etc.), you have to route port 1494 ICA traffic (or 443 with an SSL relay) directly to each Citrix server. The gateway provides a single point of entry that terminates the SSL layer and forwards 1494 ICA to the servers. &nbsp;
If you use the latest Citrix iApp and select to replace the web interface, this is exactly what it'll give you - both a web interface replacement and an ICA gateway function into a single SSL VIP. No nat should be required.&nbsp;

writemike · Answer

Not sure if you found this already, but it answers both your questions:&nbsp;
Deploying the BIG-IP LTM and APM with Citrix XenApp or
XenDesktop
https://f5.com/solutions/deployment-guides/citrix-xenapp-or-xendesktop-release-candidate-big&nbsp;

Forum Discussion

APM and Citrix

4 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

F5OS login with admin/root failed via console

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

UCS Encryption Question

Unblock Request WAF

Related Content

Multi-Stores Citrix environment BIG-IP APM

Citrix Federated Authentication Service Integration with APM

Solution for Citrix Optimal Gateway Routing

Citrix-APM New91

Citrix iApps

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS