Forum Discussion
NimbostratusLTM 11.4.1 forwarding to Netscaler 10.5 with ssl offloading and inspection
Hello
I have the following scenario. My citrix clients are connecting over F5 to a netscaler. Behind the netscaler is the whole environment with StoreFront 2.6 etc. The F5 is doing ssl offloading and reencryption. So far so good. Clients are able to connect to the NS and they can launch apps and iDesktops. As soon as I am enabling a http profile the nightmare starts. According to the documentation I tried several settings but didn't get it running with inspection. Does anybody know how to get this up and running
13 Replies
Ed_SummersWhat exactly are you trying to do, and can you post a link to the documentation you are using?
Stefan_HillI am using the F5 deployment guide http://www.f5.com/pdf/deployment-guides/citrix-vdi-iapp-dg.pdf?bcsi_scan_B807F83D805DA17C=wXVWvS7ZvdATiOtvH26PodLFLF4wAAAAAHaTCw==&bcsi_scan_filename=citrix-vdi-iapp-dg.pdf I tried setting it up with the iApp and without. As soon as I enable a http profile on my virtual host which is pointing to the citrix netscaler (10.5 build 51.10) my citrix client is no longer able to connect to an app or idesktop. I need to do inspection on that setup.
What_Lies_Bene1Cirrostratus
Any error messages, any more detail please?
Have you done a tcpdump on the F5 to take a closer look at what's happening?
- Stefan_Hill
I did a tcpdump on the connection but didn't see any obvious indication but to be honest I am not an expert in reading dumps. The error behavior when the http profile is enabled when launching the app is that a citrix window opens indicating the app is starting, this stays until a timeout occurs and it closes with contact your administrator.
- Stefan_HillMy citrix environment is using following releases: citrix xen desktop 7.6 NetScaler is NS 10.5 Build 51.10 Storefront 2.6
- What_Lies_Bene1Hmmm. Why the http profile at all, just out of interest? Also, is this a standard VS or something else, like FastL4?
StephanMantheyNacreous
Is there anything logged to /var/log/ltm?
- Stefan_Hill
The http profile is needed for the inspection. The aim is to attach a security policy to the VS. Regarding the type of VS, yes it is a standard VS.
- Stefan_Hill
Regarding /var/log/ltm nothing obvious to see in the log file.
- StephanManthey
Hi Stefan,
as WLB already recommended, a TCPDUMP may help to find out the issue:tcpdump -nnni 0.0:nnnp -s 0 -w /shared/issue.cap hostIt will trace all client- and serverside traffic initiated by your client.
The tcpdump syntax above is adding the so called "F5 Ethernet Trailer" data (the "nnn"-flag in the interface definition) to your raw dump file /shared/issue.cap and contains as well the related traffic on "peer" side (server side; triggered by the "p"-flag in the interface definition). Description of and required WireShark plugin to decode the trailer data can be found here on DevCentral. Thanks, Stephan - Stefan_Hill
I did the tcpdump in the past with tcpdump -ni vlanxxx:nnnp -s0 -c 100000 -w /var/tmp/sh_netscaler_050115.cap host x.x.x.x decrypted it in wireshark with a pms file....and gave it to F5 support.
- mark_06_140158Hi WE had a similar issue. The process starts with HTTPS to give users a list of avaialble apps/ desktops. IT then delivers an appropriate ICA file to the client over https. All works fine as the http filter understands the traffic. When the user opens the app the citrix receiver (client) then iniitiates ICA over SSL. This ICA traffic is not understood by the HTTP filter, hence it breaks. I am trying to find out how to configure the LTM to distinguish whether the decrypted traffic is HTTP or ICA and then ONLY apply the HTTP filter to the coorect stream. Any ideas?
DavidStovall_22Did you ever find resolution? I am trying to setup NetScaler behind f5 as well - similar environment to what you describe. Did you get it to work?
