I've run into a weird issue that hasn't crept up for me before. Due to all of the stay at home orders, we've opted to implement a VE in our UK data center. I opted to go with the v184.108.40.206 instead of the 220.127.116.11 that we have in our other sites. I didn't think things would be that different but we're having a weird issue with Citrix Workspace access.
Our config is not anything special, we simply deploy the Citrix VDI iApp (v2.4.6) and make minor customization. Everything appears to work great through the browser, however, we cannot get the workspaces app to work through the APM session.
From the Windows app we see errors that say "Cannot contact [STORENAME]". On the Mac app we get "Citrix Workspace cannot connect to the server"
In the APM logs we see the following:
.....checking start uri match, configured start uri: '/Citrix/STORENAME/ExplicitAuth/Login*', request: '/Citrix/Roaming/Accounts'
.....no start uri match
I see where the start uri is configured in the forms based SSO configurations but it's not making sense to me how this could be adjusted.
There isn't much to note from the LTM log though I may have to turn up the logging to get anything from there. Also note, this all works great if I remove the access policy from the virtual server, essentially hitting StoreFront instead of the APM but we do need to secure SF with the APM from the internet.
I wanted to see if anyone has run into this issue or had any other ideas. We have a rather cookie cutter environment, LTM/APM with a pretty much out of the box config for Citrix access backed by new Storefront servers (v 1918.104.22.168).
I have a number of Citrix delivery groups configured on my F5s. I don't point the F5 APM to the Storefront server even though in the iApp wizard for Citrix 2.4.6 you specify use Storefront as apposed to PNAgent. The remote Desktop points to the Citrix Delivery Controller. I stopped using the wizard once I gained experience creating new access policies. Is your access policy configured with a landing page?
The policy is the default one created by the iApp. I can create it all manually as well but I've never run into an issue where the default settings wouldn't work with a cookie cutter Storefront install like this. This is essentially a new clean environment with no gotchas or little customization anywhere. We simply can't get the Workspace app working through the APM session on this particular deployment.
We're not wanting to use WebTops so using Remote Desktop to point to delivery controllers is sort of out of scope. We have all of that configured in SF. Unless it's necessary to get everything working but nothing I've read has lead me down that path at all. We have started playing with adding the F5 as a Citrix Gateway in the SF config which brought us one step closer however, after the initial connection from the Workspace app, we're unable to login again to launch anything. It only works on the first attempt when you add the account to the app.
This appears to work fine using SF 2.6 and BigIP 13.1 with no special customization so I'm sure there's something not aligning between v14 and SF v1912 somewhere. I'm tempted to deploy a v13.1 VE and see if it's SF or if it's the version of BigIP! 🙂