Replacing Citrix Secure Gateway with LTM/APM?
Currently we have a number of sites that have downstream Citrix Secure Gateways that sit infront of the Citrix Web Servers and inturn infront of the various downstream delivery controllers. As it stands, im looking to slowley ease the LTM/APM functionlity infront of the SG.
Currently the SG proxes the ICA traffic within a HTTPS tunnlel , we simply expose TCP443 out to the WWW via LTM and setup the Citrix SG as a pool member;
Client via WWW --> (x.x.x.x:TCP443) F5 LTM (SNAT x.x.x.y) --> (a.a.a.a:TCP443) Citrix Secure Gateway --> (a.a.a.b:TCP80)Citrix Web Interface
Whilst it would seem that it should be quite easy to simply replicate the funcionality of the SSL offload that the Citrix SG does, it appears that it nativly handles the ICA proxy aswell.. from my research the 'proxying' is far less graceful than the Citrix doco would make it seem, i believe from my reading on various forums that it simply forces ICA traffic down TCP443.. and as ICA is not HTTP compliant traffic .. it causes issues with LTM (i.e. as soon as the desktop session launches.. it crashes).
I found some interesting and ingenius iRule scripts that look for various aspects of the SSL handshake.. and .. if they are not present then assume its ICA and then dont enforce HTTP complicance but i couldnt seem to get them to function.
Looking at F5 doco the claim is that you need APM to enable ICA proxying (remember im not trying to abstract auth) just replace the Citrix SG role.
Under the VS configuration on on LTM (when you have the APM license installed) a config tickbox called 'Citrix & Java Support' becomes avaliable... no idea what its job is
Citrix & Java Support - { Enable this check box if you want to provide connections to Citrix desktop resources or to support connections from Java applications.}
All im really looking is remove the need for the Citrix Secure Gateway component so i assume i need to repliacte this fucntionality
1_ offload the SSL processing and be able to pass additional HTTP headers downstream (like XFF for example)
2_ allow ICA traffic to be rammed down the TCP443 listener (if that is infact how ICA is 'proxied')
Has anyone else achieved this?