For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

adamjones73_136's avatar
adamjones73_136
Icon for Nimbostratus rankNimbostratus
Feb 21, 2014

Redirect for native Citrix Receiver clients

Hi folks, first post and fairly new to F5 so please bear with me :)

 

Citrix environment: XenApp 6.5, StoreFront 2.1, Citrix Receiver 4.1

 

I have a virtual server configured for StoreFront, with an access policy and client SSL profile. When connecting to the virtual server with a browser, all works well.

 

When connecting to the same virtual server with native Citrix Receiver, this fails. I think I understand why.

 

If I change my hosts file so the fqdn resolves to the IP of the StoreFront server itself (instead of the F5 VIP) - success.

 

For native Receiver clients only, how could I bypass/not apply the access policy on the virtual server? I really just need to load balance native Receiver connections and forward the traffic to the StoreFront servers.

 

Should I try to redirect native Receiver clients to a second simple virtual server, with no access policy? How to do this? Would I need another client SSL profile, or could I reuse the original profile?

 

Is this the right approach? Or could this be done using Policy Editor?

 

Thanks

 

application delivery
BIG-IP Access Policy Manager (APM)
citrix
devops
iRules
LTM
security

3 Replies

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Feb 21, 2014

    try this: 

    when HTTP_REQUEST {
     if { [HTTP::header User-Agent] contains "Receiver" } {
        ACCESS::disable
     } else {
        ACCESS::enable
    }
}
  • adamjones73_136's avatar
    adamjones73_136
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2014

    Hi John, thanks for your reply.

     

    I tried the iRule, however still no success with the Receiver.

     

    I'm using this URL to add the account for Receiver: https://mysite.com/Citrix/StoreName

     

    Not sure if this helps, but relevant portion of IIS logs when Receiver pointed directly at StoreFront show: GET /Citrix/StoreName - 443

     

    GET /Citrix/StoreName/discovery - 443

     

    GET /Citrix/StoreName/endpoints/v1 - 443

     

    GET /Citrix/StoreName/endpoints/v1 - 443

     

    GET /Citrix/StoreName/resources/v2 - 443

     

    POST /Citrix/Authentication/auth/v1/token - 443

     

    POST /Citrix/Authentication/Integrated/Authenticate - 443

     

  • adamjones73_136's avatar
    adamjones73_136
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2014

    Application Service was created using iApp template f5.citrix_vdi.v1.1.0rc6

     

    If I enabled legacy PNA support on the StoreFront servers, I was able to use Receiver 3.4 Enterprise with pass-through authentication, however in Receiver version 4.0 and up, Citrix has removed PNAgent support.

     

    Resolution: The only way I could get pass-through authentication working with Receiver 4.1 was to remove the Access Profile from the VS.