Forum Discussion
NimbostratusF5 XenApp with SSL pass thorough
Hi
We have a requirement where, we want the F5 to loadbalance HTTPS connections to Citrix Xenapp/desktop without decrytping the HTTPS flow. I am using LTM V11.2, using iapp I have attempted to configure, however the only options are to use HTTP all the way thorough or HTTPS with the F5 decrypting (ie Connection terminates on the F5).
I have created a HTTPS based configuration using iApp then modified it by using SSL profiles to allow the F5 to pass HTTPS to the Citrix Webservers. This did not work. Went back to creating the VIPS and pools manully but came accross this issues:
Client =HTTPS=>(VIP1)=HTTPS=>Citrix Web Server=HTTPS=>Citrix XML Broker.
This works fine(we can see published desktops), however we also want to loadbalance the broker servers.
So:
Client =HTTPS=>(VIP1)=HTTPS=>Citrix Web Server=HTTPS=>(VIP2)=HTTPS=>Citrix XML Broker.
When we do this, I get the Citrix login page and after authentication I get a message "resouce for user not found"
What I want to know is, can Citrix Xenapp be deployed in the above fashion or does the F5 need to terminate the SSL connections?
I am not asking for the best way, ideally I would like the F5 to do the SSL termination but this option is out of my hands :)
There's not connectivity issues, all health checks are good. VIPS are on a different network to the servers, auto SNAT in use.
Thanks for looking.
3 Replies
The Citrix iApp includes the option to setup ssl bridging for both the web server and xml servers. To setup web server encryption select "Web interface traffic is encrypted (HTTPS) for the questio
n " Is incoming Web Interface traffic encrypted (Https) or unencrypted (Http)?. This sets up the vs for encrypted traffic. Then select "Re-encrypt the Web Interface traffic" for the question "Do you want to re-encrypt Web Interface traffic?". The sets up the trafic to be encrypted to your web interface servers. To setup your XML server to recieve and send traffic as encrypted, select XML Broker traffic is encrypted (HTTPS), for question "Will the XML Broker traffic arrive encrypted or unencrypted?".Make sure your server farms are setup on your web interface servers to send traffic to the fqdn used in your server certificate applied to your XML virtual server noted above. Make sure the farms service type is https and the correct port, typically 443, is entered. Also, make sure the fqdn used is resolving to the vs ip address used above.
ramesh2926_1101Will give that a shot, so I still need to use the SSL profiles to ensure F5 does not terminate the connection. As part of the template ask's for cert, I use the default one then change the profiles. Hope that makes sense, thanks for your feedback will test this.- ramesh2926_1101Hi
So I have tested as per your suggestion, I did not edit the SSL profiles. The login screen took 20-30 seconds to appear this could be a certificate issue on the web interface server. However after I entered the user details I get the below.
"There are no resources currently available for this user. "
This is as before any ideas?
This is
