Forum Discussion

Chuck_Strouse_1's avatar
Icon for Nimbostratus rankNimbostratus
Aug 08, 2011

XenApp and F5 LTM Config Question

I followed the F5 deployment guide and have my Web interface servers working through the F5 with the SSl offloaded to the F5. I can login just fine. My question is once I goto run an application my client (on the internet) is trying to connect to the internal pricate IP of the backend XenApp servers on TCP 2598. Do i need to put in an Alternate address on the citrix config for the back end servers or should the client tunnel all commuunicationed through the F5's SSL session?





8 Replies

  • You don't need to make any special changes on your back-end servers but you need to ensure that you correctly assigned the required iRule to your VIP. What BIG-IP version are you using?



    The underlying cause is that ICA files (returned by Web Interface when you click on any published app) aren't correctly patched to replace back-end's address with BIG-IP VIP. If everything is set up correctly, you should see all Citrix traffic being passed through BIG-IP / APM SSL connection.
  • Chuck,



    Which deployment guide did you follow? If you want Internet users to connect into your internal XenApp farm, you need to leverage APM product and deployment guide - not the LTM one.
  • We're trying to allow internet users to connect into our internal XenApp farm and we do not have the APM and no plans to purchase.



    Are you implying that it's not possible with the LTM alone?
  • Steve,



    Yes, APM is require to provide secure authentication and ICA proxy of the Internet users in the internal XenApp environment unless you allow inbound connections to all your XenApp servers from the Internet and put them on the routable IP space. What's your hesitation for going forward with APM? It's just an add-on to your existing LTM device.
  • My hesitation for going forward with the APM? The cost of the APM wasn't budgeted for.. From the what I looked at on my distributor's site, it's licensed per CCU and was far from cheap..



    Would an alternative be to use something like Secure Gateway or Access Gateway along side the load balanced Web Interface servers?



  • Steve,



    Every APM license includes 500 CCUs for any type of access(portal, app tunnels, SSL VPN, etc) plus max license for Citrix remote access. That means that even our 1600 device is going to be licensed to handle up to 1,000 concurrent XenApp remote users with the base APM license. For exact details and sizing, you probably want to have a discussion with your local F5 sales team. Alternately, you can build out a Windows server to run CSG on, or procure an Access Gateway appliance - but you will be missing out on the SSL offload capabilities of F5(as far as I know, CSG does not support SSL offload for ICA proxy) and TCP optimizations(more information here:



    Also, APM 10 CCU licenses is included for free with all LTM devices - so you can try our solution by simply provisioning APM on the device and following the deployment guide and/or iApp - and decide for yourself whether it is worth investment in the APM product.


  • Steve,

    If looking at this from a cost perspective, attempting to go with the Citrix Netscaler/AGEE solution is just as expensive if not more so when you figure all of the licensing and administrative overhead. Your netscaler device will have to be licensed at the platinum level for all of the features to be available and even then, you have to maintain separate pnagent and WI sites that would use STA servers. BTW, the STA servers are not HA, if one goes down, all the users that had their sessions authenticated by that STA will be dropped and have to re-enter the system. Using the ICA Proxy provided within F5 APM, you do not need additional pnagent sites nor WI sites, and the the session data for connections is HA, so should one APM die off, your users will not experience a horrible time trying to get back in. Should you really need to do end point inspection, then we have that built into our product with check boxes rather than having to build distinct regular expressions per platform and setting.




    Hopefully this helps. Otherwise your clients will have to establish a vpn connection and then launch the applications.










  • Chuck - were you able to resolve your issue with the client trying to establish the connection on port 2598?