citrix storefront + smart access + apm

Question

Does anyone have this working?  I'm trying to get smart access policies to work with StoreFront 2.6 using the v2.2 of the citrix iApp...and every possible configuration I've tried does NOT work.  I've followed the guide step by step.&nbsp;
F5 support has not responded to me for weeks.&nbsp;
I've verified this configuration works with Netscaler and the smart access also works from the same F5 device utilizing the webtop instead of storefront...I've also verified the variables are being set by APM...it's just not passing through to storefront...&nbsp;

michael_koyfma1 · Answer

Sorry &nbsp;, I left F5 almost 3.5 years ago, so I don't know what is the state fo the documentation - I would perhaps suggest opening a support case to help you get over the hump there.

kyleb · Answer

Hello-&nbsp;One thing to validate on your Citrix Storefront servers. Goto the STORE that is configured w/ your F5 gateway. Click on Configure Store Settings.  Click the Advanced Settings section. Locate:  Require Token Consistency. This must be checked if you are using Smart Access, access control, access control filters in XenApp. &nbsp;Thanks,&nbsp;Kyle

michael_koyfma1 · Answer

It most definitely works.  The issue is probably be in your configuration.   After reviewing our currently-posted deployment guide, I realized that SmartAccess is not really highlighted there.  &nbsp;
I'd like to ask you send me privately here the case number you have with support so that I can take a look into it and see what happened.  I will also raise this internally to update our DG and documentation on support.f5.com as well.&nbsp;
For now, please look at this page:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-third-party-integration-implementations-12-0-0/2.html&nbsp;
Essentially, you need to configure your StoreFront the same as when you do with Netscaler - except you need to make sure that it points to the F5 device instead of Netscaler.  You also need to remove the SSO profile from the configuration that the iApp creates, so let StoreFront authenticate user via native Access Gateway method.&nbsp;

markd_01_143767 · Answer

Did you ever get this to work? I am having the same issue. I contacted F5, and they eventually told me the same thing as Michael, but I never got it to work. I'd love to see some concrete configuration steps. Also, no one mentioned anything about removing the SSO profile.

jwhitespro_1928 · Answer

Yes I finally got it to work after removing the sso profile as he suggested.

So you need the policy to assign the smart access value.  In citrix the farm name is either * or APM for the filter.

Other things I did in the storefront config for external access was:

The SNIP point to the floating ip on F5
set STAS to match stas in iapp
callback url must resolve to the vip of the apm virtual server (host entry on storefront server)
for delivery controller configuration in SF the xml must resolve to the XML virtual server on F5 and the certificate must be trusted. (also host entry on the storefront server for me, but it doesn't have to be).
the storefront server must also have a host entry that points to itself for the URL that users use to access the APM virtual site/external url.

make sure you apply the policy changes on f5 after you remove the sso profile

Forum Discussion

citrix storefront + smart access + apm

9 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Security First, Performance Always: How F5 Drives Citrix VDI Excellence in Application Delivery

Resolve Citrix Secure Ticket Authority (STA)

F5 StoreFront XML Broker Monitor

APM Citrix Client Bundle for StoreFront 2.6 HTML5 Receiver