Forum Discussion
NimbostratusCitrix ICA file signing
Using APM for XenApp with webtop publishing. The bigip proxies/rewrites the ICA file. If the requirement would be to configure clients to accept only signed ICA files from a trusted source.. any idea how to achieve that? Signing must be done from the BIGIP i assume and I cannot find any way to do it
7 Replies
Michael_Koyfma1Cirrus
If you deploy APM 11.4.1 HF2 or later, it supports using STA tokens, and thus can be used with ICA signing feature, as ICA file rewrite is not needed in this case. Here is how to do this:
Documentation notes for this feature:
- Prerequisites:
-
Citrix Web Interface (WI) site working in Gateway Direct Mode and published via Citrix Access Gateway (AGEE)
-
Configuring APM
- Virtual Server (VS) is configured to provide ICA Proxy functionality either via iApp or as described in here: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-citrix-integration-11-3-0.html
- Additional session variable named "session.citrix.sta_servers" must be added to the policy using the "Variable Assign" agent in Visual Policy Editor
- The value of "session.citrix.sta_servers" is the same as you would enter on Web Interface:
So the assignment will normally look like this:
session.citrix.sta_servers = return {http://mysta.company.com/scripts/ctxsta.dll}- If there is more than one STA server, the individual URLs are delimited by a semicolon
- amolari
Cirrostratus
I thought ICA file rewrite was always necessary (change of IP address from internal to VS)... The solution you describe is for when using WI servers and not publishing Apps on the APM webtop, right? No solution available if I do not want to use the WIs?
Michael_KoyfmanCirrocumulus
If you deploy APM 11.4.1 HF2 or later, it supports using STA tokens, and thus can be used with ICA signing feature, as ICA file rewrite is not needed in this case. Here is how to do this:
Documentation notes for this feature:
- Prerequisites:
-
Citrix Web Interface (WI) site working in Gateway Direct Mode and published via Citrix Access Gateway (AGEE)
-
Configuring APM
- Virtual Server (VS) is configured to provide ICA Proxy functionality either via iApp or as described in here: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-citrix-integration-11-3-0.html
- Additional session variable named "session.citrix.sta_servers" must be added to the policy using the "Variable Assign" agent in Visual Policy Editor
- The value of "session.citrix.sta_servers" is the same as you would enter on Web Interface:
So the assignment will normally look like this:
session.citrix.sta_servers = return {http://mysta.company.com/scripts/ctxsta.dll}- If there is more than one STA server, the individual URLs are delimited by a semicolon
- amolariI thought ICA file rewrite was always necessary (change of IP address from internal to VS)... The solution you describe is for when using WI servers and not publishing Apps on the APM webtop, right? No solution available if I do not want to use the WIs?
- Michael_Koyfma1
If you don't use the WI, the APM generates ICA file on its own - it does not rewrite it at all. When using APM to replace WI, it does not leverage/support ICA signing.
- amolari
there is a RFE for ICA signing, when APM replaces WI (webtop publishing):
Bug 357897 - [Citrix] Implement file signing for ICA files - Zeeshan_Ahmad_1
We are running F5 11.2.1 so could you please let me know how we can do sign the ICA file.
Our Problem is if we add the site as a trusted site then everything works but if we remove from there it stop working, Please suggest
