F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Chan556_139907's avatar
Chan556_139907
Icon for Nimbostratus rankNimbostratus
Dec 15, 2013

Citrix XenApp Source IP seem as LB IP for WebInterface server

Hi all expert, We try to setup following traffic flow for Citrix XenApp setup. LB is setup between external and internal FW. Then DMZ link is connected to LB. Web Interface server are inside DMZ Zone. The Xenapp XML broker server are in different zone behind Internal FW. the flow will be following.

 

Internet > Ext FW > LB >> DMZ Web INT server ( 10.1.1.0/24) V V (172.16.1.0/24)

 

V Internal FW >> XenApp XML Broker server ( 10.2.2.0/24

 

As per LTM XenApp setup guide, we configure with TWO VIP try to use wizard. e.g. For Web Interface ( Front end)

 

Front end server VIP 1 = 202.1.1.1 ( For Internet access Apply SNAT ) Pool Member ( 10.1.1.101 & 10.1.1.102 )

 

For XenApp ( back end )

 

BackEnd server VIP 2 = 10.1.1.103 ( use same subnet with WI ) Pool Member = ( 10.2.2.201 & 10.2.2.202 )

 

We are not using SSL off load and we disable monitoring as well. We only enable NAT for 202.1.1.1 with source IP ( 10.1.1.101 & .102). No NAT for Backend VIP.

 

Traffic flow will be following.

 

Internet CLient > Ext FW > LB > Public VIP 1 ( 202.1.1.1) > WI POOL Svr(10.1.1.101&102 > VIP 2 (10.1.1.103 ) > LB (Internal int IP 172.16.1.1) > Int FW > Backend SVR Pool ( 10.2.2.x)

 

Now we can access to the WI server from Internet with IP 202.1.1.1. We can see the login page but cannot login. When we check in Internal FW,we don't see the traffic from 10.1.1.101&102. Instead of that, we only see traffic from LB (172.16.1.1) with destination 10.2.2.x via ica port.

 

We never turn on NAT in LB for VIP 2 and we disable the health monitoring traffic from LB to backend server. No iRules apply and just configure as per wizard guide.

 

Now my questions are 1) why do we see the LB Internal IP instead of original IP traffic from WI Svr to Back end XML server ?

 

2) how does meganism work between Front end VIP & back end VIP for citrix Xenapp? 3) Do we nee any additional configuration ( e.g. SSL cert , monitoring, )? 4) How can we configure to see the traffic with original IP from WI Svr to XML Svr?

 

Please advise for that.

 

Thanks.

 

citrix

1 Reply

  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Dec 15, 2013

    I'm not sure about newer versions of the WI, but I know in 5.x you had to change code on the WI in order to read the X-Forwarded-For header (which you also had to enable on the F5), the only easy way to have it work is have the traffic flow through the F5 at a layer 2 level so they don't need to NAT to get back to the client.