Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jul 20, 2015

Citrix Desktop via APM - APM fails accessing XenApp on :2598, doesn't try :1494 ...?

Config: firmware 11.5.2, Big-IP 4200v, accessing XenApp server on Win2012, running Xenapp version... 7.1, i think   We have an APM webtop configged to replace the Citrix Storefront, by virtue of ...
BIG-IP Access Policy Manager (APM)
citrix
deployment
security
xenapp
daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jul 20, 2015

Thank you, Michael. Could you clarify, though - is it by design that APM doesn't try ICA if the CGP port isn't responding? That's clearly Citrix' model (fallback to ICA), as the last couple of Receiver versions have done so (no?). Would it be a defect correction or a new feature if I were to put in a support request for the capability in APM?

 

In the meantime, is there a way to specify that the APM should always use ICA? (given the network stability on our LAN, I don't think SR gives us much benefit in this situation - but we don't want to turn it off, because we have lots of internal users accessing not via the F5). I'm not even sure this is possible - since the client is going to first attempt SR, I'm not sure what the exchange would look like if APM simply dropped the SR request and wanted to the client to move on to attempt ICA.

 

Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Jul 21, 2015
Couple of thoughts here: 1. There's a big difference between going directly to the XenApp server and going via Gateway(such as Netscaler or F5). Going directly the client connects via certain ports - for direct connections, it can be 2598 or 1494. For ICA proxy connections, all client connections come out on port 443, and then unwrapped and proxied to port 2598 or 1494. I don't know how the behavior is when Netscaler Gateway is in place - but it seems to me that it might be better to control whether SR is getting used or not via SmartAccess filters and/or combination of Citrix policies.