Smart Card Authentication to Citrix StoreFront Using F5 Access Policy Manager

Haha, yeah believe me it took a lot of digging through Citrix documentation. Based on that, for non-password authentication the Storefront sever simply needs to resolve the same gateway (F5 BIG-IP) that the user authenticated against. If your internal storefront servers have connectivity to the external facing gateway VS on the BIG-IP, then I believe you should be able to use that. However, I believe in my testing of that scenario I had issues with client-less requests from the Storefront server because you cannot enable clientliess mode with On Demand Cert Auth.

In my scenario my customer does not allow that communication to occur so we simply created a new VS accessible internally and a basic access policy I don't believe it is a Citrix requirement to use the same certificate/key pair that you use for the client-ssl profile used on the F5 VS publishing the citrix gateway URL but rather ensuring that the callback server url has a valid certificate.

If you are supporting smart card auth on the BIG-IP and you use a separate callback virtual server, I did find it necessary to have a connectivity and VDI profile.