Forum Discussion
AltostratusF5 APM citrix receiver plugin detection and authentication pass thru
Hello,
We have configured the F5 APM v11.5.1 using the latest iapp f5.citrix_vdi.v2.2.0, authenticating clients to StoreFront v2.5 servers. Everything works great. Now we need to make a change to the policy so that users on the internal network do not get prompted for their credentials. So instead of the login prompt, we need to collect the users SSO info from the citrix receiver plugin or citrix receiver client and pass that to the SF servers.
I am not sure how quite to accomplish this, but I see a possibility in the access policy to create an ACL decision box based on the client private ip space to bypass the login page and AD authentication. However, how I would then get the SSO info from the receiver is the big mystery to me.
4 Replies
Michael_Koyfma1Cirrus
I would really suggest to setup two different virtual servers for this scenario - that would be the most robust and efficient method to achieve this setup, especially if you do not need ICA proxy for your internal users. You can then use split DNS to send users from each location to the right virtual server.
- Bob_Vance_75936
Thanks Michael. However we still need the ICA proxy feature for internal access and we're trying to keep the changes for the client to a minimum. Even though the Netscaler can do this, I'm not entirely sure getting the SSO info from the citrix receiver is even possible using the F5. Still researching though....
- Michael_Koyfma1I see. In that case, your request is a valid use case. Unfortunately, it's not very easy to implement - but I do know that F5 Professional Services did that for a few customers. I know what it involves in general, and it can be a bit complex - so I would suggest leveraging F5 Professional Services for this if possible to achieve the best result. Else I can try to dig for more details and post them when I find them.
- Michael_Koyfma1
Bob,
As I said, it's not very straight-forwarded. I have dug into it, and I have bits and pieces, but, unfortunately, don't have the entire setup. In essence, you'd need to:
- Modify Access Policy to not perform Logon Page/authentication for clients coming in from certain IP addresses
- Store a special config.xml file on the BIG-IP to be returned to the Receiver clients on the local network trying to connect to Storefront
The iRule would look something like this:
when HTTP_REQUEST { if { [HTTP::uri] contains "/Citrix/PNAgent/config.xml" } { HTTP::respond 200 content [ ifile get configXML ] } }
Of course, you would need to enhance the IF statement to check for the source IP address of the LAN IP space.
then you'd have to also create an iFile named configXML that has something like this below. You'd want to replace myapps.company.com with the FQDN name of your BIG-IP Virtual Server:
true false true replace replace http://myapps.company.com/Citrix/PNAgent/config.xml false false false 8 http://myapps.company.com/Citrix/PNAgent/enum.aspx https://myapps.company.com/Citrix/PNAgent/smartcard_enum.aspx http://myapps.company.com/Citrix/PNAgent/integrated_enum.aspx true true true 6 http://myapps.company.com/Citrix/PNAgent/launch.aspx https://myapps.company.com/Citrix/PNAgent/smartcard_launch.aspx http://myapps.company.com/Citrix/PNAgent/integrated_launch.aspx http://myapps.company.com/Citrix/PNAgent/reconnect.aspx https://myapps.company.com/Citrix/PNAgent/smartcard_reconnect.aspx http://myapps.company.com/Citrix/PNAgent/integrated_reconnect.aspx http://myapps.company.com/Citrix/PNAgent/change_password.aspx http://myapps.company.com/Citrix/PNAgent/desktopControl.aspx https://myapps.company.com/Citrix/PNAgent/smartcard_desktopControl.aspx http://myapps.company.com/Citrix/PNAgent/integrated_desktopControl.aspx sson false false false false false Never Direct-With-Fallback true true false true true true true true false false true seamless fullscreen 640 480 800 600 1024 768 1280 1024 1600 1200 1 2 4 8 high medium low off local remote fullscreenonly false RemoteStreaming
