Citrix XenApp and XenDesktop

More and more organizations are using the BIG-IP system to secure, optimize, and scale their Citrix XenApp/XenDesktop deployments. Since the days when these applications were known as MetaFrame, F5 has been testing and tuning the BIG-IP system for Citrix implementations, and detailing the procedures first in our deployment guides, and now in our iApp templates for Citrix as well.

Not only can the BIG-IP system act as a replacement for the Citrix Web Interface servers, but it can securely proxy Citrix ICA traffic using TCP optimization profiles which increase overall network performance for your application. You also have the option to configure the BIG-IP APM with smart card authentication or with two factor authentication using RSA SecurID.

The following simple, logical configuration example shows one of the ways you can configure the BIG-IP system for Citrix Xen deployments.  In this example, the BIG-IP APM Dynamic Presentation Webtop functionality is used to eliminate the need for the Citrix Web Interface StoreFront server tier. With BIG-IP APM, a front-end virtual server is created to provide security, compliance and control. The iApp template configures the APM using Secure ICA Proxy mode. In secure ICA proxy mode, no F5 BIG-IP APM client is required for network access. The BIG-IP system uses SSL on the public (non-secure) network and ICA to the servers on local (secure) network.  See the deployment guide for more information.



See for information on using the iApp template to configure the BIG-IP system for Citrix. 

See to find the appropriate deployment guide for quickly and accurately configuring the BIG-IP system for Citrix XenApp/XenDesktop. If you have any feedback on these or other F5 guides or iApp templates, leave it in the comment section below or email us at We use your feedback to help shape our new iApps and deployment guides.

Published Jan 27, 2014
Version 1.0

Was this article helpful?


  • when i tried this solution with APM in internal network , it works fine, but when the similar setup is public IP NAT with the VIP IP, it is not working we found that in the ics file SSLProxyHost rewrite as VIP IP, is there any solution where we can change it to the domain name.