I am currently deploying BIG-IP 15.1.0.2 in front in front of Citrix Storefront. This solution is designed for external users performing smart card authentication to APM with KCD to Storefront.

Authentication is functioning as expected though when using Chrome and Firefox, the browser detection function for the webhelper is failing. When investigating further, all traffic is using the external URL of withsf.itc.demo but when the detection portion occurs, it changes to the internal URL of srvsf.itc.demo.

I am not sure how to resolve that but am hoping Citrix can help with that. At this point I configured clients to point to BIG-IP DNS with a record of the internal URL to resolve to the same virtual server as my external. The issue now is that this traffic should be configured for clientless-mode but it is not supported when using On Demand Cert auth.

Steps:

1. Client Authentication - Success
2. Client Detection - Get Ticket
3. Storefront Server Resonse: Ticket with postback URL using internal string. https://srvsf.itc.demo/Citrix/UDF_store/clientAssistant/reportDetectionStatus
4. Client Post With Ticket to External URL: Form item: "ticket" = "CDT_a22bziPBrKTuBnaYsVmk7iLqKHpKKjlff3gaKw1ge!X_rJJyYFaFBTpt7FeQae6B"
5. Server: Waiting (RequestURI https://withsf.itc.demo/Citrix/UDF_storeWeb/ClientAssistant/GetDetectionStatus)
6. Client Post: https://srvsf.itc.demo/Citrix/UDF_store/clientAssistant/reportDetectionStatus HTML Form URL Encoded: application/x-www-form-urlencoded Form item: "ticket" = CDT_a22bziPBrKTuBnaYsVmk7iLqKHpKKjlff3gaKw1ge!X_rJJyYFaFBTpt7FeQae6B" Key: ticket Value: CDT_a22bziPBrKTuBnaYsVmk7iLqKHpKKjlff3gaKw1ge!X_rJJyYFaFBTpt7FeQae6B
7. BIG-IP 302 - /vpn/index.html
8. Client - Get /vpn/index.html