F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Nathan_Andrews_'s avatar
Nathan_Andrews_
Icon for Nimbostratus rankNimbostratus
Feb 27, 2014

iRule required to change Citrix ICA IP address.

Hi,   I am currently load balancing a Citrix Web Interface using a BIG-IP LTM.   When I connect to the external facing VIP I can login to the web interface and browse the citrix apps as expecte...
application delivery
citrix
deployment
devops
iRules
LTM
steve_watkinson's avatar
steve_watkinson
Icon for Nimbostratus rankNimbostratus
Dec 07, 2017

I spent quite some time looking into this one and have seen multiple suggestions but here is what worked for me (using [HTTP::payload] enables you to split the stream expression to run only when a specific IP is matched other wise you can't rewrite the session reliability port this is identical in every ICA file);

Apply the following iRule to your StoreFront VIP;

when HTTP_REQUEST {
     Disable stream profile to improve performance.
    STREAM::disable
         Remove Accept-Encoding to prevent compression or STREAM will not work.
        HTTP::header remove "Accept-Encoding"
    set payload 0
   }
when HTTP_RESPONSE {
     Run stream profile only when application header contains x-ica
    if { [HTTP::header value Content-Type] contains "application/x-ica" }{
    set payload [HTTP::payload]
     Check ICA file individually so you can port map ICA and Session Reliability port.
    if { $payload contains "[INTERNAL-IP_1]:1494" }{
        STREAM::expression {@[INTERNAL-IP_1]:1494@[EXTERNAL-IP_1]:1495@@:2598@:2599@}
        STREAM::enable
        }
    elseif { $payload contains "[INTERNAL-IP_2]:1494" }{
        STREAM::expression {@[INTERNAL-IP_2]:1494@[EXTERNAL-IP_1]:1496@@:2598@:2600@}
        STREAM::enable
    } else { 
        if { $payload contains "[INTERNAL-IP_3]:1494" }{
        STREAM::expression {@[INTERNAL-IP_3]:1494@[EXTERNAL-IP_1]:1497@@:2598@:2601@}
        STREAM::enable
            }
        }
    }
}

This rule maps each internal resource server to a public IP and unique port above the standard 1494 and 2598. You can then map these ports back to the correct resource server with the following rule applied to a VIP listening on ANY port (remember to enable port translation on the VIP) with a pool defined for each resource server;

when CLIENT_ACCEPTED {
    switch -glob [TCP::local_port] {
    1495 { pool citrix-vda-1_1494_pool }
    2599 { pool citrix-vda-1_2598_pool }
    1496 { pool citrix-vda-2_1494_pool }
    2600 { pool citrix-vda-2_2598_pool }
    1497 { pool citrix-vda-3_1494_pool }
    2601 { pool citrix-vda-3_2598_pool }
    default { discard }
    }
}

This doesn't replace APM in anyway as you can't tunnel over SSL etc, but it works nicely and is scalable..