Replacing Citrix Secure Gateway with LTM/APM?

Currently we have a number of sites that have downstream Citrix Secure Gateways that sit infront of the Citrix Web Servers and inturn infront of the various downstream delivery controllers. As it stands, im looking to slowley ease the LTM/APM functionlity infront of the SG.

Currently the SG proxes the ICA traffic within a HTTPS tunnlel , we simply expose TCP443 out to the WWW via LTM and setup the Citrix SG as a pool member;

Client via WWW --> (x.x.x.x:TCP443) F5 LTM (SNAT x.x.x.y) --> (a.a.a.a:TCP443) Citrix Secure Gateway --> (a.a.a.b:TCP80)Citrix Web Interface

Whilst it would seem that it should be quite easy to simply replicate the funcionality of the SSL offload that the Citrix SG does, it appears that it nativly handles the ICA proxy aswell.. from my research the 'proxying' is far less graceful than the Citrix doco would make it seem, i believe from my reading on various forums that it simply forces ICA traffic down TCP443.. and as ICA is not HTTP compliant traffic .. it causes issues with LTM (i.e. as soon as the desktop session launches.. it crashes).

I found some interesting and ingenius iRule scripts that look for various aspects of the SSL handshake.. and .. if they are not present then assume its ICA and then dont enforce HTTP complicance but i couldnt seem to get them to function.

Looking at F5 doco the claim is that you need APM to enable ICA proxying (remember im not trying to abstract auth) just replace the Citrix SG role.

Under the VS configuration on on LTM (when you have the APM license installed) a config tickbox called 'Citrix & Java Support' becomes avaliable... no idea what its job is

Citrix & Java Support - { Enable this check box if you want to provide connections to Citrix desktop resources or to support connections from Java applications.}

All im really looking is remove the need for the Citrix Secure Gateway component so i assume i need to repliacte this fucntionality

1_ offload the SSL processing and be able to pass additional HTTP headers downstream (like XFF for example)

2_ allow ICA traffic to be rammed down the TCP443 listener (if that is infact how ICA is 'proxied')

Has anyone else achieved this?

citrix

partner

14 Replies

Michael_Koyfma1
Cirrus
Apr 16, 2013
Yes, you most certainly can proxy ICA traffic the same way as CSG does, and if you don't want to do any authentication on APM, that is fine as well you can just run through the iApp and put in bogus Active Directory information in there, and then go the Access Policy and remove the AD Auth object from it - and that should be it. You still need to have APM licensed, as ICA proxy functionality is sold and supported only with the APM license.
SimonS_84965
Nimbostratus
Apr 16, 2013

What iApp template are you referencing? f5.citrix_xenapp_xendesktop.2012_06_27 ?

I have already given this a shot once (using a similar approach to what you mentioned above (happy to try again). I keep getting stuck on;

-Virtual Server for XML Broker Servers-

What IP address do you want to use for the BIG-IP virtual server for XML Broker servers?

"The XML Broker determines which applications appear in the Web Interface, based on the user’s permissions."

So given im not looking to do anything with AAA .. i assume i can just dummy this aswell?
SimonS_84965
Nimbostratus
Apr 21, 2013
It looks to be that i was destined to fail from the get-go as there are also some 'issues' it appears with APM and Route Domains .. ive got a support ticket out for it so ill see what's said.

For those who are considering playing with this, route domains that are not linked to domain-0 will fail if APM has to invoke any UI as the web-server the serves the APM pages (Apache?) serves them from domain-0 .. so you will likely see a 404 when you are pushed to /my.policy
SimonS_84965
Nimbostratus
Apr 25, 2013
Looks like to get APM not to 404 you need to swap your VS to be auto-snat and then do an additional route-domain selection and snat at the APM level.

apm policy agent route-domain-selection /Common/testaccess_act_route_domain_selection_ag {

route-domain /Common/801

snatpool /Common/testsnatpool

}

The ICA proxying still fails... but at least im getting past the login page now!
Andrey_Terentye
Historic F5 Account
Apr 26, 2013
Hello. APM indeed has limited support for Route Domains (and a broader Route Domains support is planned for next release).

Right now, APM supports Route Domains for Citrix access in the following configuration:

1. You're integrating APM with existing Web Interface site(s). The Web Interface site(s) should be specified in a pool on the Citrix APM virtual server (with correct Route Domain set for pool members)

2. You should be using same Route Domain for pool members AND virtual server address. E.g. Web Interface server(s) specified in a pool as x.x.x.x%RD, and virtual server address y.y.y.y%RD (RD is the same).
SimonS_84965
Nimbostratus
Apr 29, 2013
Thanks Andrey, yes i have the whole thing working now we are just about to go into a test phase with one of our sites.

Ill post the full config here for anyone else wanting to do the same shortly.

I think the F5 documentation is really good, but one thing that's often missing are slightly less invasive integration guides.. i.e in this instance whereby i don't want to offset (well cant) auth yet.. and really just want to terminate the SSL (more of a service provider approach) for things like Citrix (taking into account all of the little complexities like capturing logouts to clean up APM sessions)

Thanks all that helped, and a big thanks to my F5 SE who helped get the attention on my original ticket to help me push past the tricky stuff with moving the route domain selection and snat OUT of the VS and into APM.
- SimonS_84965
  Nimbostratus
  Sep 08, 2013
  Just as a further update on this, we now have a number of sites whereby this is working and we are looking to roll this out further. The Windows Metro receiver App is expected to introduce a little complexity.. so ill let you know how we go about resolving that
- SimonS_84965
  Nimbostratus
  Sep 27, 2013
  It appears that the Metro App and XenApp functionality on iOS (vs Desktop) appears to break... looking further at this via way of the AuthManSvrTrace receiver logs you notice something interesting just before it bombs out Working via a Netscaller { 10/27/13 01:52:45 (GMT) T:00001E4C . . . m_ServerInfo=m_ServerType: AG m_GatewayInfo: LogonPointUrl='https://remote.xxxx.catholic.edu.au/', Edition=2, } Yet if we use our BigIP LTM/APM proxy { 10/27/13 00:54:48 (GMT) T:00001F5C . . . m_ServerInfo=m_ServerType: Unknown } Not sure if this is simply a case of Citrix being jerks and saying <> Citrix then GOTO :END Will post more as i continue to research
- SimonS_84965
  Nimbostratus
  Oct 31, 2013
  It appears this has now been resolved by Citrix for the RT version of the receiver. 1.3.0.154 and below does not work when using APM when using the ICA proxying functionality 1.4.0.220 <> has been confirmed working.
SimonS_84965
Nimbostratus
Oct 21, 2014
We have produced a full guide on this if anyone wants a copy.
Michael_Koyfman
Cirrocumulus
Oct 21, 2014
Simon, do you want to post it here?
- SimonS_84965
  Nimbostratus
  Oct 21, 2014
  Yeah sure can.. its a little long and verbose (its an internal document) .. ill sanitse it and put it up
Michael_Koyfma1
Cirrus
Oct 21, 2014
Simon, do you want to post it here?
- SimonS_84965
  Nimbostratus
  Oct 21, 2014
  Yeah sure can.. its a little long and verbose (its an internal document) .. ill sanitse it and put it up

Forum Discussion

Replacing Citrix Secure Gateway with LTM/APM?

14 Replies

Recent Discussions

Pool Members communication with B-party via F5 VIP

Find GSLB pool membership from vip IP

Server 2 causing application slowness

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Related Content

API Gateway Mapping - Gartner - F5

Whats new in NGINX Gateway Fabric 1.2?

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

AWS Transit Gateway Connect: GRE + BGP = ?

BIG-IP integration with Azure Gateway Load Balancer