citrix with NAT, possible?
I'm trying to have the following environment working: APM app publishing for XenApp 6.5 2 XML broker and 2 ICA servers the citrix environment is in a vCould with NAT. BIGIP sees the NATed addresses of all servers. The broker part is working well as I get the apps publish on the webtop. The issue is when the receiver starts and the APM gets the XML file for app connection, we see inside that file following entries that are problematic :1494 [...] :443 [..] The result is that packet trace for the Receiver to APM shows only a couple of TLS handshakes without app data, then the APM terminates them. The receiver puts an error "network issue" (not SSL, as we have fixed all certificate/SSL issues previously). I guess it's because it cannot interpret/rewrite that XML file. We must use NAT because of vCloud/topology and I'm stuck here. Any idea? Thanks! Alexandre
Seamless failover for Citrix ICA tunnel
We have a Citrix XenApp environment behind APM (11.6) deployed using Citrix iAPP template. APM acts as ICA proxy and we also employ WEB UI servers on the Citrix side of things. It looks like Citrix Receiver disconnects in the middle of the session in the event of Big-IP failing over from active to stand by. In terms of VS configuration we offloading SSL so we are unable to mirror the connections due to V11 limitations. We are also using "cookie" persistence profile with source IP as fallback. I am trying to understand what can be done to avoid Citrix Receiver dropping the connection in case of HA pair failing over. Has anyone been successful trying to achieve seamless fail over for Citrix ICA tunnel?
APM and Citrix ICA file connectivity
Having some challenges with 'what should be simple' NetScaler -> F5 APM (Citrix 6.5 WI) migration and ICA files to successfully connect. Per the new iAPPs template and the fact that this is WI only scenario I've configured my front-end LTM (no xml brokers) and APM with typical policy along with variable assignment after users pass LDAP: session.citrix.sta_servers expr {";} session.logon.last.domain expr {"somedomain"} :: I'm able to hit subdomain.com:8080 from CLI and /var/log/apm showing the server / sessions. I did notice that the server name I'm getting has some 'extra' chars in it though vs the ICA file when I open it. The ICA file also has server/tokens/proxy assigned when I look at it. My error is that "Cannot connect to the server" on the Citrix Client after I launch the ICA. No "err" message in /var/log/apm. Anyone run into or have any suggestions? Does the Ctrix server team need to add anything on the back-end WI? Thanks for feedback!
SSO doesn't work with Citrix deployed on BIG-IP
Hi guys, We would like to use our F5 (LTM&APM fully licensed) instead of Netscaler Gateway for access to our Citrix Farm therefore we have recently deployed the newest iApp (f5.citrix_vdi.v2.3.0) to get this configured and I can see some issues with single sign-on already. I can get to the F5 website (Virtual Server - DNS record created) and log-in successfully with my AD credentials but then it will take me to one of our website hosted on our Citrix WI server (Web Interface) which will ask me to log-in again. Providing the same set of credentials I can log in and access all the resources just fine. It looks like the SSO does not work - not passing on my credentials from F5 website to Citrix Web Interface. What am I missing here? Has anyone seen this before? Thanks,blank webtop on citrix_xendesktop iapp
hi, everyone i have a somewhat annoying problem that occurs every now and then, mostly after a reboot of the bigip's. i have published a solution using the citrix_xenapp_xendesktop_2012_06_27, which works fine for most of the time. But there has been a few occasions now, mostly after a reboot, that users log in, an only find a blank wetop waiting for them, with no applications to choose from. The easy workaround is to simply reapply the access policy, but i would like to see if there is a more permanent solution to this. im running a HA pair of 4200's on version 11.5.2, with ltm+asm+apm modules liscensed.Citrix XenApp iApp APM with Storefront - Cross Access Profile SSO
We've deployed the XenApp iApp in the configuration using APM to send traffic to Storefront. When deploying the iApp, I allowed it to create the APM access profile. I have since noticed that SSO between our Webtop AP and our Citrix AP doesn't appear to be working. The Access Profile SSO Domain Cookie has the same value across both Access Profiles (ex. company.com), but when clicking the Storefront link (Webtop Link - Application URI ex. storefront.company.com) from the webtop, you are redirected to the F5 login page for the Storefront Access Profile. Has anyone else seen this behavior? Any ideas how to get SSO from the webtop into the Storefront AP working? I've also noticed that if I log into Storefront first, and open a new browser tab to the webtop, I immediately get a Connection Reset message.APM webtop to Citrix - prefilling userid, domain for Citrix logon dialog
Env: Big-IP 4200v running 11.5.2 plain, APM fully licensed Context: APM webtop with Citrix Remote Desktop icon, accessing F5 pool of Citrix XML brokers, replacing Storefront; users login to APM via RSA credentials against RADIUS server, no user login to AD (but userid is the same); Citrix client type is new-ish Receiver (12.3), Citrix XenApp version is 7.1 In the described environment, the user logs in to APM by providing userid and RSA PIN/value, which are validated via RADIUS servers. We do not AD-authenticate as part of the APM login, because our F5s involved are in our DMZ, and we don't want them interacting with AD directly - and so we can't turn on "Auto Logon" in the Citrix desktop object, and can't insert an SSO Credential Mapping object (can i?). The user gets to a webtop, and and then clicks on the Citrix remote desktop icon, they are prompted for their AD userid, password and domain, with an F5 generated dialog that will in turn provide the credentials to the XML brokers. In this flow, we would like to pre-fill the userid from what they entered as part of their RADIUS login, and their domain from a hard-coded value. I inserted into the policy an Assignment object, I manually set session.logon.last.domain to our desired domain string, but the Citrix logon dialog did not pick it up. And I can't figure out how to insert the username from the session variable that holds it. Is what I'm attempting possible? Do I in fact need to insert an SSO Credential Mapping, even though we are just pre-filling variables, not actually doing SSO?
AD Password Expiration
Hey all, we've recently cut over to using the BigIP to front end our citrix xenapp environment. Before, users were notified at logon to the citrix web gateways when their password was 14 days out from expiring and gave them an option to reset it then. Now using APM, the user is notified on the day that the pw has expired. Is there anyway to replicate that functionality where a user would be notified ahead of time and be given the opportunity to change it via APM? Thanks all -GRCitrix Xenapp 6.5 Server with CSG - HTTP 400 Bad Request error
I have 1 Xenapp 6.5 server: On this server I have Web Interface, Secure Gateway and its my STA server as well. I have IIS set to SSL port 444 and my CSG is set to 443. I can telnet to my host https://cloud.rainiertitle.com on port 1494 and 2598 - I have disabled session reliability for this troubleshooting. My STA is generating no errors. IIS is giving no errors. This is driving me crazy. I can access everything internally, but I get the HTTP 400 Bad Request when I try to access my site externally. My DNS is working correctly. Everything resolves fine. I ran Fiddler to try to trace my https traffic and I received this error: HTTP/1.1 400 Bad request Date: Fri, 08 Aug 2014 15:35:44 GMT Server: Citrix Web PN Server Content-Length: 0 Connection: close Content-Type: text/plain Any ideas?