Forum Discussion

Mark_van_D's avatar
Mark_van_D
Icon for Cirrostratus rankCirrostratus
Jan 17, 2012

Citrix XenApp Redirect not working

I am looking into using F5 APM to replace our aging Citrix Access Getways.

 

 

I have followed the Deployment Guide "Deploying the Big-IP APM v11 with Citrix XenApp or XenDesktop".

 

 

I created a separate Citrix Xenapp Website "XenAppF5" and configured the access method as direct, and it all seems to work relatively well.

 

 

The only issue I have is once the logon succeeds rather than redirecting me to /Citrix/XenappF5/site/default.aspx it just dumps me to the normal IIS welcome screen. The Successful Logon Detection Match Type is configured to use By Resulting Redirect URL.

 

 

If I enter the URI manually the website displays correctly.

 

 

What am I missing?

 

 

 

  • Set the site in the xenapp web interface management to be the default and it should be fine.

     

     

    What this does is sets up a redirect on the root of the web server pointing to the site you have made.

     

     

    Cheers
  • I've got multiple sites configured on the server so will need to check what impact that may have.

     

     

    It doesn't explain why if I connect directly to XenAppF5 site, and enter in my logon credentials it does correctly redirect me.
  • My experiences with our APM/Citrix setup is that the F5 won't redirect to the page that is set in the "Successful Logon Detection" box, you can do this with an iRule, but i would be hesitant to do it due to the way that APM works and the complexity behind it.

     

     

    one of the APM SE's or one of the more advanced members here may be able to pin point it better, but with our setup, we were able to get away with having it as the default site.

     

     

    That being said, how do your other sites work if the root of the webserver points to the IIS welcome page?
  • Mark,

     

     

    I think what's happening is that you're hitting your main access VIP, and APM is asking your for authentication. After you successfully authenticate, APM will forward your request to the Web Interface server(IIS) - and if your request is just /, IIS will simply show you the root directory page. At this point SSO did not trigger yet - it will only trigger once it detects that Web Interface is redirecting a user to its login page - but you have to get there first. Hope it makes sense now.

     

     

    If you want to set it up to work properly with APM, I suggest adding an iRule that would intercept a request to / and redirect it to your proper Web Interface site. You will have to uncheck Strict Updates under Advanced options for your deployed application( under iApp->Application Services, then click on your deployed iApp), then create the iRule below and associate it with the Virtual that you are using.

     

     

    when HTTP_REQUEST {

     

    if { [HTTP::uri] == "/" } {

     

    HTTP::redirect "https://[HTTP::host]/Citrix/XenAppF5/"

     

    }

     

    }

     

  • Hey Michael,

     

     

    We had attempted things like this with our setup, and it broke the APM authentication when you went to our site because of the redirect APM does from / to /my.policy

     

     

    Cheers
  • Then you can modify the iRule to say

     

     

    when ACCESS_ACL_ALLOWED

     

     

    instead of

     

     

    when HTTP_REQUEST

     

     

    That should work - it should only kick in after APM completes its AAA work and passes the request to the server.

     

  • Thanks all. It worked with the HTTP_REQUEST iRule. The ACCESS_ACL_ALLOWED caused a timeout.

     

     

    The only issue that came up was if I clicked the logoff button under Citrix, the Citrix prompt had a login button. When I clicked on that it would redirect me to the F5 to reauthenticate, but would then randomly take me to either the silentclientdetection screen, or back to the /auth/login.aspx screen.

     

     

    When accessing this through the CAG, the logoff button would display "For security reasons, you must close this browser window." without the login button.

     

     

    In order to get the same result under the F5 I modified the following file on the Citrix server. \Citrix\XenAppF5\app_data\include\loggedout.inc

     

     

    Edit: Removed as it was displayed wrong on the forum

     

     

    There was probably a nicer way to do this but it worked.

     

     

    Now looking into what advantages/disadvantages using the F5 webtop has over this.
  • You can also achieve the same effect by going to the Management Console of your Web Interface site, then clicking on Site Maintenance->Diagnostic Logging, and select Use custom logged off page URL. In the value there, put the FQDN of the APM virtual that is used to access XenApp followed by /vdesk/hangup.php3(e.g. https://xenapp.mycompany.com/vdesk/hangup.php3)

     

     

    Looking forward to hear your feedback on leveraging APM webtop for presentation of the published resources - it does make things easy as well as removes the need for Web Interface server completely.
  • Rather than putting the full FQDN just making it /vdesk/hangup.php3 works too. This way if you have multiple URLs pointing to the same Citrix site they will work too.