Forum Discussion

writemike's avatar
writemike
Icon for Nimbostratus rankNimbostratus
Jul 23, 2014

Citrix and APM Dynamic Webtop NAT Options

Hello, I have a specific question around NAT'ing between the APM, Citrix XML Brokers, and XenApp Servers when our APM is providing a dynamic webtop (No Citrix Web Interface or storefront). What source address will the Citrix Farm see from the APM? The APM will be doing a full proxy (including ICA for citrix receiver). Does changing the VS SNAT(automap, snat pool or none), which links to the access profile, Webtop, and Remote Desktop Profile, change the source IP for any traffic in this scenario? I believe that this is the traffic flow (I'm new to Citrix), but I don't know the source IPs:

 

  1. Client-IP to VS-IP (HTTPS Request and logon webpage)

     

  2. What-IP to XML-Broker-IP (User has been authenticated and APM forwards the credentials to the XML Broker)

     

  3. Depending on Client-Type, the client either sees a webtop with all their links or an ICA file.

     

  4. Client-IP to VS-IP (Requesting a link from the dynamic webtop)

     

  5. What-IP to XenApp_IP (User Application traffic)

     

I know that this is an abbreviated traffic list, but I'm really just concerned with what IP addresses that need to be accounted for in the FW between the APM(Float, Self, or SNAT-Pool) and the Citrix Server Farm.

 

Thanks!

 

  • Jason_Decker_40's avatar
    Jason_Decker_40
    Historic F5 Account

    If you apply a SNAT configuration to the virtual server (which for most configurations you will do) then yes, the APM to XML broker would also use the SNAT configuration. In general unless a particular "back end" server is using the BigIP as its default gateway you will have to use SNAT (either a SNAT pool or automap) to avoid asymmetric routing issues. The only reason to have concern about this is if for some reason the real client IP is required by your application. With Citrix this is not required when APM is providing ica proxy services. SNAT pool or SNAT automap is the usual configuration in this situation.

     

  • Just a follow-up question:

     

    It makes sense that the user ICA protocol application traffic, as proxied through the VS, will use the VS SNAT settings. Can you confirm that the connection from APM to XML Broker would also use the SNAT configuration from the VS which has the APM Profile and Remote Desktop profile applied?

     

    Thanks.

     

  • Jason_Decker_40's avatar
    Jason_Decker_40
    Historic F5 Account

    If the SNAT option is set to 'None' you will see the real client IP address. The caveat here is that the servers must then use the BigIP as the default gateway otherwise you will end up with an asymmetric route back to the client. With SNAT enabled the servers will see on of the SNAT pool IP's as the source. With automap the servers will see the floating self IP and if no floating self IP exists it will be the Self IP of the active BigIP.

     

  • If SNAT Automap is applied to the VIP, it should be the floating self-ip of the active box.