citrix
254 Topicstwo F5 iApp Citrix gateways behind same SSL LB
We need to migration from NetScaler to BigIP. On NetScaler we have two StoreFront FQDNs and they resolve to same VIP on one same Citrix Gateway. In other words, one same Citrix gateway provide service to two different Storefront URLs. We do this because of strict firewall rules between users and our NetScaler, they are managed by different IT teams. End-user doesn't have to whitelist another IP in their firewalls so we can re-use same IP to provide another storefront for end-user. This IP has been allowed for years. The citrix gateway has session policies checking host in http header so forward the traffic to different backend storefront with -wihome parameter. If user access FQDN_A then session policy matches and session action will forward the traffic to -wihome Storefront_URL_A. If user access FQDN_B then session policy matches and session action will forward the traffic to -wihome Storefront_URL_B. This setup works fine on NetScaler for more than two years. On F5 BigIP we created two gateways with iApp template. Each iApp gateway can support one Storefront FQDN so we create two gateways with iApp. Two FQDN resolve to same IP on NetScaler so we create a generic SSL LB in front of two iApp gateways and attached SNI based traffic policy. Now the issue is the user can login and authenticate with different FQDN, see storefronts UI, see allowed apps icon, get .ICA file but Citrix Workspace cannot establish VDI session with the ICA file. Citrix workspace stuck at "Opening the resource Connection in progress..." and failed at "Unable to start unable to launch your applications due to an internal error. Contact your system administrator." ICA works so I think the traffic from end-users to each iApp gateways through the front LB work and traffic policy works based on SNI check. Not sure why ICA work but VDI fails through LB. However, if I move the IP to one of iApp gateways, both ICA and VDI can work without problem. Thank you for your assistance.10Views0likes0CommentsCitrix XenServer Big-IP Upgrade help
I am looking to upgrade our stand alone BIG-IP on xenserver. Currently running 15.1.2.1. It looks like I can just upgrade to 17 based on K13845. I am stuck on exactly what file to download. I also read K51113020 on how to do the upgrade, but I am a little hesitant because it doesn't reference XenServer specifically. Looking at the files on the download page, I am not sure if I just pull an OVA file? The VM guy seems to think that is really for a new install not an upgrade. I will take any tips, tricks or strategies to make this a simple upgrade. Thanks in advance. John42Views0likes4CommentsF5 APM - SAML Auth with Citrix Workspace App
Hello, I have configured SAML auth with AzureAD with APM and storefront web interface with no issues. Im wondering if anyone has tried getting the local receiver/workspace app to work? It looks like the local client now supports SAML auth coming from a netscaler, however not sure if APM can trigger the app to redirect it to Azure to login.1.4KViews0likes9Commentssource IP and source Port persistence using irule - Citrix - (carp vs uie)
Hi, We ran into an issue of uneven load-balancing due to using citrix. Clients end up using the same IP so we decided we need to start load-balancing using the source port as well. I have done my homework and search around until I came across multiple solutions of either to use uie or carp. I have multiple questions hopefully I will get answers for. I understand carp doesn't have a timeout so that leads to a question is it better to use in this situation? Also we are leaning towards load-balancing using the least connections. Would each algorithm limits to a specific load-balancing method? Per my irule below I don't add persist assuming it is done automatically. am I wrong with that assumption? Should I be adding each successful persistence records? what would be the best way to test such an implementation? Here is the irule I'm about to implement. when CLIENT_ACCEPTED { set client_ip_port "[IP::client_addr]:[TCP::client_port]" if {[TCP::client_port] and [IP::client_addr] !=0} { persist carp $client_ip_port } }477Views0likes1CommentCitrix Netscaler to F5 BIG-IP
Problem this snippet solves: This scripts is built to convert Citrix Netscaler text based configuration files to BIG-IP commands. This scripts aim to reduce the largest burden of entering object names, IP addresses and other parameters, as well as logically linking these objects to each other. This script is not meant to perform a totally automated and unattended migration. For the objects that the script migrates, not all parameters may be converted. For the parameters that are converted, some are mapped to the closest matching BIG-IP feature. If there are any non-ASCII characters or line-breaks in the source file, this will need to be manually fixed first (some screen captures may wrap lines so copying the file directly is preferred). All Netscaler commands are on a single line. Note that this script will produce a comprehensive list of errors, warnings, notes, etc, at the bottom of the output file. You should look through these first, starting with the errors and working your way down to less critical messages. You may need to correct problems in the input file or in the Perl script and re-run the conversion. Once you have reviewed the warnings and notes, you should look through the configuration that was generated. The original Netscaler commands are provided for each portion of the BIG-IP configuration and you should compare the "before and after" for each object. How to use this snippet: To get command line config execute the following command on Netscaler: more /nsconfig/ns.conf (Or you can secure copy it to your PC using something like winscp/pscp.) Input restrictions: Probably only supports Netscaler v7, v8, and v9 Output restrictions: Outputs BIG-IP 9.4.x format (which v10 appears to read fine) Output file contains warnings errors, base config, and main bigip.conf It is best to have Active Perl on you PC to perform the conversions. You can also use the Perl installation on the BIG-IP command line. Once the file is converted you can import the configuration into the BigIP using (b load, or b merge). You can also copy/paste into bpsh. Read the header of each of the scripts files, they have addition information on the usage of the scripts. Usage: perl nsv8_to_f5.pl netscalerconfigfile /var/tmp/bigipoutputfile5.5KViews0likes7CommentsAPM IdP SAML config for sharefile
Hi all, we try configuring a SAML config with an F5 SAML guide. Our system should have F5 as a SAML IdP and sharefile.com as SP. Does anyone has expirience with this architecture? What we already have: F5 APM config: EntidyID: https://auth.customer.com binded SP Entidy: https://serviceat.sharefile.com/saml/info Assertion Consumer Service URL: https://serviceat.sharefile.com/saml/acs Sharefile config: Sharefile Issuer: https://serviceat.sharefile.com/saml/info IdP Issuer: https://auth.customer.com Login URL: https://auth.customer.com/saml/idp/profile/redirectorpost/sso Logout URL: https://auth.customer.com/saml/idp/profile/post/sls When the user tries to login on sharefile, he will be redirected to the F5 APM Login Page; after successful Login, the URL https://auth.customer.com/saml/idp/profile/redirectorpost/sso?SAMLRequest=blablabal.... is requested via GET, but there we didn't get any response. - so no redirect to the Consumer Service of Sharefile can be seen. With the SAML tracer I can see the request to the F5: https://serviceat.sharefile.com/saml/info urn:oasis:names:tc:SAML:2.0:ac:classes:Password Does anyone have an already running SAML configuration like this or has any hints, what we are doing wrong here? It seems to me, that the APM doesn't listen to the requested URL. Thanks in advance, Philipp501Views0likes6Commentscitrix with NAT, possible?
I'm trying to have the following environment working: APM app publishing for XenApp 6.5 2 XML broker and 2 ICA servers the citrix environment is in a vCould with NAT. BIGIP sees the NATed addresses of all servers. The broker part is working well as I get the apps publish on the webtop. The issue is when the receiver starts and the APM gets the XML file for app connection, we see inside that file following entries that are problematic :1494 [...] :443 [..] The result is that packet trace for the Receiver to APM shows only a couple of TLS handshakes without app data, then the APM terminates them. The receiver puts an error "network issue" (not SSL, as we have fixed all certificate/SSL issues previously). I guess it's because it cannot interpret/rewrite that XML file. We must use NAT because of vCloud/topology and I'm stuck here. Any idea? Thanks! Alexandre326Views0likes4CommentsXenApp 6.5 with Kerberos Auth and CIFS-Windows Shares
I have been having difficulties with this issue for some time and I am hoping that someone can shed some light on it. All information in this post will be from my test bed environment, however the same issue is occurring in our live development environment. We are running 11.5.1 HF5 and so far I have been able to get Kerberos authentication working in order to access my published Citrix Applications with APM proxying all ICA traffic and replacing the Citrix Web Interface. The issue comes in when once a published app is launch, for example Notepad, I am then unable to access any mapped drives or other CIFS-Windows shares using Kerberos and instead I am asked for my Username and Password. I have been mostly following this thread to get to where I currently am as I have a similar scenario: F5 BigIP LTM 6900 In my testbed I have one Domain Controller, one server called XML1 which is my XenApp server and one server called WB1 which is where I had the Citrix Web Interface when I was trying pass-through authentication along with where I created the shared folder I am trying access through my Citrix apps. All servers are Windows 2008 R2, domain level is set to 2003. Our clients are not joined to the domain but I have a valid method of locating the right user using a APM AD query. In my testbed I have one Domain Controller, one server called XML1 which is my XenApp server and one server called WB1 which is where I had the Citrix Web Interface when I was trying pass-through authentication along with where I created the shared folder I am trying access through my Citrix apps. All servers are Windows 2008 R2, domain level is set to 2003. Our clients are not joined to the domain but I have a valid method of locating the right user using a APM AD query. My mapped drives are in both \\servername\share and \\fqdn\share forms. Would appreciate any help I can get, Sheigh401Views0likes5CommentsOptimizing application delivery with F5 Secure ICA proxy
F5's Secure ICA proxy solution on APM/EDGE is over a year old now, and has been successfully deployed at many of our customers. Besides the simplicity and ease of administration it provides, F5 customers are looking for more value and want to make sure that the solution they implement can provide the fastest deliver of Citrix XenApp and XenDesktop to the remote users. In one scenario, we've found that leveraging the following TCP profile on the APM ICA proxy virtual can drastically improve performance of applications where large data transfers are happening between the client and the XenApp/XenDesktop farm. This profile was tested in a typical WAN scenario with client connecting over T1 on a 200 ms link with 0.5-1% packet loss. In this scenario, F5 ICA proxy was able to maintain almost full bandwidth throughput(close to 1.5 Mbits/sec on the ICA connection, which was more than 2x improvement over throughput with regular TCP stack. This is the snippet of the TCP profile configuration from bigip.conf profile tcp optimized_xenapp_wan { defaults from tcp-lan-optimized reset on timeout enable time wait recycle enable delayed acks disable proxy mss disable proxy options disable deferred accept disable selective acks disable dsack disable ecn disable limited transmit disable rfc1323 disable slow start disable bandwidth delay disable nagle disable abc enable ack on push enable verified accept disable pkt loss ignore rate 0 pkt loss ignore burst 0 md5 sign disable cmetrics cache enable md5 sign passphrase none proxy buffer low 98304 proxy buffer high 131072 idle timeout 300 time wait 2000 fin wait 5 close wait 5 send buffer 65535 recv window 65535 keep alive interval 1800 max retrans syn 4 max retrans 8 ip tos 0 link qos 0 congestion control scalable zero window timeout 20000 } If you are running or deploying F5 Secure ICA proxy solution, we encourage you to try this tcp profile and see if it improves ICA performance in your environment as well. Any and all feedback will also be greatly appreciated.247Views0likes2Commentsrewrite iRule
How to write the below iRule if I want to use the two events together ? event&Condition: when CLIENT_ACCEPTED { Client IP:[IP::client_addr] equals 10.0.0.0/8 } when HTTP_REQUEST { if { [string tolower [HTTP::header User-Agent]] contains "/Firefox" or "/Chrome" or "/Opera" or "/safari" } Action The action is to rewrite the URI. -reqUrlFrom "https://www.f5.com/citrix/wwl_prodweb/" -reqUrlInto "https://www.f5.com/citrix/wwl_prodwebExplicit/" Any help would be highly appreciated !222Views0likes1Comment