Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Dec 18, 2015

citrix storefront + smart access + apm

Does anyone have this working? I'm trying to get smart access policies to work with StoreFront 2.6 using the v2.2 of the citrix iApp...and every possible configuration I've tried does NOT work. I've followed the guide step by step.

 

F5 support has not responded to me for weeks.

 

I've verified this configuration works with Netscaler and the smart access also works from the same F5 device utilizing the webtop instead of storefront...I've also verified the variables are being set by APM...it's just not passing through to storefront...

 

  • Hello-

     

    One thing to validate on your Citrix Storefront servers. Goto the STORE that is configured w/ your F5 gateway. Click on Configure Store Settings. Click the Advanced Settings section. Locate: Require Token Consistency. This must be checked if you are using Smart Access, access control, access control filters in XenApp.

     

    Thanks,

     

    Kyle

  • It most definitely works. The issue is probably be in your configuration. After reviewing our currently-posted deployment guide, I realized that SmartAccess is not really highlighted there.

     

    I'd like to ask you send me privately here the case number you have with support so that I can take a look into it and see what happened. I will also raise this internally to update our DG and documentation on support.f5.com as well.

     

    For now, please look at this page:

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-third-party-integration-implementations-12-0-0/2.html

     

    Essentially, you need to configure your StoreFront the same as when you do with Netscaler - except you need to make sure that it points to the F5 device instead of Netscaler. You also need to remove the SSO profile from the configuration that the iApp creates, so let StoreFront authenticate user via native Access Gateway method.

     

  • Did you ever get this to work? I am having the same issue. I contacted F5, and they eventually told me the same thing as Michael, but I never got it to work. I'd love to see some concrete configuration steps. Also, no one mentioned anything about removing the SSO profile.
  • Yes I finally got it to work after removing the sso profile as he suggested. So you need the policy to assign the smart access value. In citrix the farm name is either * or APM for the filter. Other things I did in the storefront config for external access was: The SNIP point to the floating ip on F5 set STAS to match stas in iapp callback url must resolve to the vip of the apm virtual server (host entry on storefront server) for delivery controller configuration in SF the xml must resolve to the XML virtual server on F5 and the certificate must be trusted. (also host entry on the storefront server for me, but it doesn't have to be). the storefront server must also have a host entry that points to itself for the URL that users use to access the APM virtual site/external url. make sure you apply the policy changes on f5 after you remove the sso profile
  • Yes, he did get it to work by following my advice(confirmed via private messages on DevCentral). We are in process of updating documentation to better reflect the proper steps necessary to configure it(including removing SSO profile).
    • KyleB's avatar
      KyleB
      Icon for Altostratus rankAltostratus

       Were you guys able to update documentation on this very thing ? I haven't found anything that it has, and am trying to use Smart Access filters via F5, and it is not working.

      • Sorry  , I left F5 almost 3.5 years ago, so I don't know what is the state fo the documentation - I would perhaps suggest opening a support case to help you get over the hump there.

  • Hi. I was wondering if anyone can help me a bit on this. I ve configured smart access in the F5 APM along with a keyword, I removed SSO credentials and the SSO profile from my APM, but when I do a PCAP (tcpdump --f5 ssl) on F5 towards the backend StoreFront server and I decrypt SSL, I cannot find that keyword in the http or TLS payload in Wireshark. Am I not supposed to be able to see the keyword been sent to the Storefront servers? Do I need to logon to storefront first and then fire up an application? I thought APM gets complete once the F5 APM per session gets completed.