Forum Discussion

Nimbostratus

Dec 17, 2015

Citrix Receiver thick clients fail to connect through APM

We have a new Citrix XenApp configuration on our F5 that we setup using the latest iApp. We're using APM. Via a browser, from any OS, it's working fine. The only issue we have is that Android, IOS...

application delivery

BIG-IP Access Policy Manager (APM)

Lucas_Thompson_

Historic F5 Account

Dec 17, 2015

You'll need to either decrypt it, or just set it to communicate on port 80. Citrix servers generally allow the comms to be 443 or 80.

The SSLDUMP we use is generally the same as the normal ssldump, so the use (and how to decrypt it) is the same. Two rules:

Make sure the SSL session cache is deleted so you get a new SSL session ID, otherwise the decryption can't work. In your case this would be for the serverssl profile, not the clientssl profile because you're trying to decrypt the serverside of the connection.
As you've done, DH ciphers have to be disabled.

I see that you have a support case on this already. As soon as we can see the backend comms, we'll have a better idea about what's happening. I can't find any reference to this error in any other support case except one where somebody was trying to get VMWare Horizon View to function via APM. The symptoms for that one were nearly identical (including the 'TTP /1.1' part) but it doesn't look like there was any followup or resolution.

Jacob_Newfield1

Historic F5 Account

Dec 21, 2015

There shouldn't be a redirect from the Storefront server for PNAgent communications, i.e. even if the parse error is corrected the overall functionality will fail. The BIG-IP/APM should be configured to translate ingress client-side requests from "/Citrix/PNAgent/config.xml" into egress server-side request "/Citrix/PNAgent/[store]/config.xml" which is accomplished via an iRule data group entry named "APM_Citrix_ConfigXML" with key/value pair "[vs_fqdn] := /Citrix/[store]/PNAgent/config.xml". The APM supports the Storefront protocol where the URI "/Citrix/PNAgent/config.xml" would not be used. However, if the PNAgent protocol is required or desired then be sure to configure the client with a case sensitive PNAgent URI, i.e. "/Citrix/PNAgent/config.xml" and not ""/Citrix/PNAgent/Config.xml".

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Citrix Receiver thick clients fail to connect through APM

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Cisco TACACS+ Config on ISE LTM Pair

How can I get started with iCall

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

iRule causing requests to be duplicated (sometimes)

Related Content

Just Announced! Attend a lab and receive a Raspberry Pi

Proxy Protocol Receiver

Log client to vip connections

Limit Connections From Client

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS