I am currently deploying BIG-IP 22.214.171.124 in front in front of Citrix Storefront. This solution is designed for external users performing smart card authentication to APM with KCD to Storefront.
Authentication is functioning as expected though when using Chrome and Firefox, the browser detection function for the webhelper is failing. When investigating further, all traffic is using the external URL of withsf.itc.demo but when the detection portion occurs, it changes to the internal URL of srvsf.itc.demo.
I am not sure how to resolve that but am hoping Citrix can help with that. At this point I configured clients to point to BIG-IP DNS with a record of the internal URL to resolve to the same virtual server as my external. The issue now is that this traffic should be configured for clientless-mode but it is not supported when using On Demand Cert auth.
Line, I am not sure we have/had the same issue but I wrote the following article for the issue I was experiencing. I am still no Citrix expert but everything in my use case is working as expected now by using the settings in the article. If the article doesn't help resolve the issue for you, let me know and I can provide some more detail on the different troubleshooting methods I used.
This issue was resolved by configuring Storefront and APM using the following DevCentral article.