Citrix Federated Authentication Service Integration with APM
Introduction This guide will cover how to use APM as the access gateway in front of Storefront when using Citrix FAS. This will enable you to leverage authentication methods like SAML, Kerberos, or NTLM on the client side. Note that almost any auth method can be supported via Receiver for web, but Receiver self-service does not support some auth methods such as SAML. Deploy Citrix Federated Authentication Service Now you’ll need to deploy Citrix Federated Authentication Service (FAS). Deployment of FAS is out of scope for this article, but as there are many parts I found the following guide from Carl Stalhood very helpful: http://www.carlstalhood.com/citrix-federated-authentication-service-saml. Ignore the section “SAML on Netscaler Gateway” since you’re going to deploy APM instead, but don’t miss that last section “Configuring Storefront for SAML Gateway”. When configuring Storefront anywhere it requests the Netscaler Access Gateway address you’ll use the FQDN you intend to use for your virtual server on Big-IP (how users will access Storefront). Examples include the callback URL field when configuring the authentication and when configuring the Netscaler gateway. Before proceeding, you should be able to go direct to the Storefront server, log in, and be able to launch an application successfully. There can still be misconfigurations that prevent access through an access gateway, but you will have fewer areas left as problems. You must use an Enterprise CA, otherwise on the CA you will see pending certificates not getting approved automatically and you will be unable to launch apps. Also note that if you have previously made configuration modifications usually needed forearlier versions like Citrix 6.5, such as host file entries, those should be removed prior to proceeding. For correct operation of FAS, DNS needs to be setup properly which may include setting up PTR records. Create the SAML SP In the Big-IP GUI go to Access Policy -> SAML -> Big-IP as SP and click create. You’ll create an SP config and for the entity ID in the format https://my-vs-fqdn.domain.com. All the rest can be left default. Now you’ll need to setup your IdP Connector. This could be another Big-IP APM, ADFS, Okta, or any other IdP service. You can import the metadata if available or you can manually configure it. Configuring the IdP connector is out of scope for this article, but after configuring it, you’ll select your SP and click the “Bind/Unbind IdP Connectors” button, “Add New Row”, select it from the drop down as the SAML IdP Connector, then click Update, OK. Note that you can bind multiple IdP connectors here if there are multiple IdPs. You need to set a matching source (variable) and the matching value that should cause use of that IdP. A common solution might be %{session.server.landinguri} for the source and /customer1 for the matching value to go to customer 1’s IdP. Now you’ll see this on the SP configuration page. Your IdP should be setup to send either the user’s userPrincipalName or sAMAccountName as the NameID. This should match either the userPrincipalName or sAMAccountName of the user account in the AD domain used by Citrix that you want the user logged in as. Carl Stalhood’s guide linked above provides an example configuring the ADFS IdP and he is using userPrincipalName. Note that if you decide to use alternate UPNs (not matching your AD domain name) for your users you will also need to enable those domains in “Trusted Domains” on your Storefront server. Deploy the iApp Now we can move on to deploying APM as your access gateway. First, deploy the latest iApp. At the time of writing this article, that’s version 2.4.0. When deploying the iApp you’ll need to answer the following questions as shown: You’ll need to specify your STA servers: Finally, pay special attention to the DNS name you’re going to have clients use. This should be the same as you used in the Citrix Storefront configuration earlier and the SAML configuration later. This is how users are going to access the deployment. Now you have the iApp for Citrix deployed, but it’s using the default forms based authentication. You need to customize the authentication method. This guide will help you deploy SAML authentication, but as mentioned you could use NTLM, Kerberos, or another authentication method. Before proceeding you need to verify that the certificate you’ve selected is valid. If it is not, SSO will fail when Storefront tries to callback to the virtual server and the user will get the error “Cannot Complete Your Request”. You can browse to the FQDN you entered from the Storefront server to make sure you don’t get certificate errors. Normally you would use a publicly signed certificate and that will work fine (but don’t forget the chain). If it’s an internally signed certificate, your Storefront server needs to trust it as well. Modify the iApp’s APM Policy By default the policy looks like this: We need to modify it to look like this: To modify the policy you will need to turn off “strict updates” on the iApp: Note that in this case we aren’t modifying the Receiver branch because Receiver doesn’t support SAML authentication. You could just change it to deny receiver clients if desired. First remove the Logon Page, AD Authentication, and SSO Credential Mapping objects from the Browser branch. Next add a SAML Auth object right before the Session Variable Assign object (plus sign, Authentication tab, SAML Auth). Select the SP you configured earlier. Next, open the Session Variable Assign. You need to add a new entry, and set session.logon.last.username to equal the session variable session.saml.last.nameIDValue. Notice that the domain and sta_servers variables were set here already, those were done by the iApp. Here is what creating that looks like: Now your policy should look like the one above. Be sure to click Apply Policy in the top left. Test And finally you should be able to browse to the FQDN of your new virtual server, be redirected to your SAML IdP for authentication, then get redirected back and SSO’ed in to your Citrix environment. You should be able to see the Storefront catalog and launch an application Updates 12/21/2016 - Removed an iRule that is not needed for SSO to function properly in a complete deployment
Solution for Citrix Optimal Gateway Routing
Introduction On the heels of a very well written DevCentral article by Steve Lyons, Smart Card Authentication to Citrix StoreFront Using F5 Access Policy Manager, where he documented how to configure F5 BIG-IP APM to provide SSO Smart Card Authentication to Citrix StoreFront I figured it was time to publish another APM/Citrix related article for the community. A customer of mine was going to be replacing Citrix ADCs (NetScalers) with F5 APM throughout their enterprise to provide SSO SmartCard authentication to StoreFront along with ICA traffic proxying. There is a freely available iApp available for your APM that will help with this configuration. However, this iApp solution is only appliable if you are authenticating to StoreFront AND proxying your ICA traffic through the same F5 APM. And of course, this was not the configuration my customer was looking to implement. The existing Citrix ADC based implementation was configured to take advantage of something Citrix calls Optimal Gateway Routing (OGR); sometimes referred to as Optimal HDX Routing. Table of Contents What is OGR The F5 Problem The F5 Solution Configuration Steps F5 APM SF-GW Configuration iRule - Create STA Resolution Halt iRule - Create Citrix Logged Out F5 APM ICA-GW Configuration iRule - ExtractCitrix STA iRule - Resolve Citrix STA What is OGR? OGR for Citrix Storefront is a design whereby a Citrix web client is directed to an ICA Proxy Gateway (ICA-GW) anywhere in the world that is closest to the app/desktop hosting environment (XenApp and XenDesktop servers) which may not be on the same Citrix StoreFront ADC (NetScaler) Gateway (SF-GW) which has authenticated the user. This is in contrast to being directed to a single ADC Gateway device that hosts SF-GW and ICA-GW. In a Citrix ADC deployment, the ICA-GW (not the SF-GW) is responsible for validating/resolving the STA ticket provided by a Secure Ticket Authority (STA) server. Since the ICA-GW is responsible for this validation, it allows OGR to function and send ICA traffic to a different ICA-GW than what was used to download the ICA file from StoreFront. Figure 1: Suboptimal Gateway Routing Figure 2: Optimal Gateway Routing The F5 Problem(link back to Top of page) The F5 Access Policy Manager (APM) can be used to simultaneously replace a Citrix ADC for both the StoreFront Authentication process as well as the ICA Proxy process. In contrast to how Citrix ADC processes a downloaded ICA file, the F5 APM Citrix VDI plugin is designed to validate/resolve the STA ticket with the STA server upon download of the ICA proxy file from the StoreFront server.The validation details are stored locally in the APM SF-GW access session table. This session table is not shared amongst APM devices in the enterprise. So, if the ICA file then directs the client to a different APM device (ICA-GW) by virtue of the ICA file entry: SSLProxyHost=[ICA-Proxy-FQDN]:443 than what was used to download the ICA file (APM SF-GW), the APM ICA-GW will NOT have knowledge of the already validated/resolved STA ticket. The APM Citrix VDI plugin does not perform validation/resolution of the STA ticket upon launching the ICA file. The APM ICA-GW will then terminate the app/desktop session. The F5 Solution(link back to Top of page) In order to support Citrix Optimal Gateway Routing in a distributed gateway environment, the following configuration can be used. The APM SF-GW is responsible for authentication, proxying StoreFront application/desktop enumeration, and app/desktop ICA file retrieval. When a client requests an app, StoreFront will create an ICA file based on information it has retrieved from the DDCs and STA servers, send it to the APM SF-GW, which will then send the ICA file to the client. An iRule attached to the virtual server on the APM SF-GW will prevent STA validation upon download. The client can then launch the ICA file which contains a line: SSLProxyHost=[ICA-Proxy-FQDN]:443 directing the connection to an APM ICA-GW. The APM reads the ICA request, pulls out the STA server shortname referenced in the payload: Address=;40;STA12345678;0123456789ABCDEF0123456789ABCD which is the same STA server that StoreFront connected to, and matches that to a URL for the STA server using a pre-configured datagroup. Then APM ICA-GW connects to the STA server in order to validate the STA ticket included in the ICA payload. STA validation variables are stored in an APM access session table. Now that the STA ticket has been validated, the APM will proxy the ICA traffic to the app server. Configuration Steps(link back to Top of page) Assumptions: 1.Citrix StoreFront and DDCs are configured for external client access utilizing HDX routing which requires the configuration of Secure Ticket Authority (STA) servers similar to the following: Figure 3: StoreFront server, “Citrix StoreFront” applet -> Stores -> “Manage Netscaler Gateways” -> Edit Figure 4: StoreFront server, “Citrix StoreFront” -> “Configure Store Settings” -> “Optimal HDX routing” F5 APM SF-GW Configuration(link back to Top of page) Creating a StoreFront AD Authentication Access Policy Navigate to Access››Profiles / Policies : Access Profiles (Per-Session Policies) and click Create General Properties Name: sta_resolver_ap Profile Type: All Customization Type: Modern Configurations Logout URI Include: /Citrix/UDF_storeWeb/Authentication/Logoff Note: replace UDF_storeWeb with the appropriate StoreFront related Store name for your Storefront environment Language Settings Configure your desired Language settings and click Finished When you are returned to the previous page displaying all access profiles, select Edit from the newly created policy to open the Visual Policy Editor (VPE) Between Start and Deny, select the + From the Logon tab, click the “Logon Page” radio button and click Add Item. Accept the Logon Page Agent default settings. Click Save Click the “+” (plus sign) to the right of the Logon Page object From the Authentication tab, select your preferred method of authentication. This should match up with the authentication method the StoreFront is expecting to consume.For the purpose of this article, we are using “AD Auth”. The configuration of the AD server is beyond the scope of this article. Click Add Item. Complete the Authentication configuration per AAA guidelines. Click Save. Click the “+” (plus sign) to the right of the Authentication object Select the Assignment tab. Select the SSO Credential Mapping radio button and click Add Item. Leave the defaults and click Save Change the ending for the SSO Credential Mapping fallback to Allow Click Apply Access Policy at the top left Once complete select Apply Access Policy and your VPE should look like the screenshot below Creating a VDI Profile Navigate to Access››Connectivity / VPN : VDI / RDP : VDI Profiles and click Create New Profile Profile name: citrix_vdi Parent Profile: /Common/vdi Click OK Create STA Resolution Halt iRule Navigate to Local Traffic››iRules : iRule Listand click Create Name: STA_STOP Definition: when RULE_INIT { set static::debug_sta_fwd 0 } when HTTP_RESPONSE { if { [HTTP::has_responded] } { log local0. "http has responded" return } if { $tmm_apm_client_type != "citrix-launch" } { #log local0. "apm client type is NOT citrix launch" return } set content_type [string tolower [HTTP::header Content-Type]] if { $content_type contains "application/x-ica" || $content_type contains "application/vnd.citrix.launchdata+xml" } { log local0. "content type is ica or citrix" set ica_file_response 1 set contentLength [HTTP::header "Content-Length"] HTTP::collect [HTTP::header Content-Length] } else { log local0. "content is not citrix" } } when HTTP_RESPONSE_DATA { if { [info exists ica_file_response] } { log local0. "ica_file_response exists" # set session.user.access_mode to local ACCESS::session data set "session.user.access_mode" "local" if { ![info exists target_apm] } { return } } } Create Citrix Logged Out iRule Navigate to Local Traffic››iRules : iRule Listand click Create Name: storefront_logged_out Definition: when CLIENT_ACCEPTED { set citrix_logout 0 } when ACCESS_ACL_ALLOWED { set type [ACCESS::session data get session.client.type] if { !($type starts_with "citrix") } { set storeWebName "/Citrix/UDF_storeWeb/" set http_uri [HTTP::uri] if { $http_uri == "/" || ($citrix_logout eq 0 && $http_uri ends_with "login.aspx") } { # log local0. "For [HTTP::uri] Redirecting to $storeWebName" ACCESS::respond 302 Location "https://[HTTP::host]$storeWebName" } elseif { $http_uri contains "Logoff" } { set citrix_logout 1 } elseif { $citrix_logout eq 1 && $http_uri ends_with "login.aspx" } { set citrix_logout 0 ACCESS::respond 200 content "Logged out\r\n" Connection close ACCESS::session remove } } } Note: The storeWebName variable value in the iRule must be changed to match your Citrix store name Configuring an HTTP Profile Navigate to Local Traffic››Profiles : Services : HTTP and click Create Name: storefront_http Parent Profile: http Request Header Erase: Accept-Encoding Request Header Insert: X-Citrix-Via:storefront.itc.demo Note: X-Citrix-Via is the header name and storefront.itc.demo is the value. The value must match the external FQDN in your environment. Redirect Rewrite: All Insert X-Forwarded-For: Enabled Click Finished Creating a VDI Profile Navigate to Access››Connectivity / VPN : VDI / RDP : VDI Profiles and click Create New Profile Profile name: citrix_vdi Parent Profile: /Common/vdi Click OK Creating a Client SSL Profile for Storefront Client Access Navigate to Local Traffic››Profiles : SSL : Client and click Create Name: storefront_clientssl Parent Profile: clientssl Certificate Key Chain: Select the External Cert and Key that will be used for this website Configuring a Storefront Pool Navigate to Local Traffic››Pools : Pool List Name: storefront_pool Health Monitors: tcp Load Balancing Method: Least Connections (member) Address: 10.1.20.6 Service Port 443 Click Add and Finished NOTE: add as many StoreFront servers in your environment to the pool member list Creating a Virtual Server for Storefront Access Navigate to Local Traffic››Virtual Servers : Virtual Server Listand click Create Name: storefront_vs Type: Standard Destination Address/Mask: 10.1.10.101 Service Port: 443 Protocol Profile: tcp HTTP Profile (Client): storefront_http SSL Profile (Client): storefront_clientssl SSL Profile (Server): serverssl Source Address Translation: Auto Map (or whatever is appropriate for your environment) Access Profile: storefront_ap Click the + next to Connectivity Profile to create a new profile. Profile Name: proxy_conn Parent Profile: /Common/connectivity Click Ok VDI Profile: citrix_vdi iRules Highlight “STA_STOP” and “storefront_logged_out” and click the double left arrow button to move the iRule to the Enabled box Default Pool: storefront_pool Default Persistence Profile: cookie Fallback Persistence Profile: dest_addr Click Finished This concludes the configuration of the F5 APM SF-GW There is a minimum requirement of 2 virtual servers on the ICA-GW. The first VS (proxy-vs) will be the listener that client ICA proxy requests are sent to. An iRule attached to this VS will pull out the payload of the ICA proxy request and make a sideband call to another VS (sta-resolver-vs) on the same APM. The sta-resolver-vs VS, via an iRule, will take the payload sent by the proxy-vs sideband call and use the STA server “shortname” in the payload to reference a Datagroup to find the STA server URL. This URL is then populated in the APM session table. The VDI profile will use this URL to contact the STA server to validate the STA ticket. Information received back from the STA server populates the session table. The ICA-GW now has the information it needs to proxy the ICA traffic. F5 APM ICA-GW Configuration(link back to Top of page) Creating a STA Ticket Resolver Access Policy Navigate to Access››Profiles / Policies : Access Profiles (Per-Session Policies) and click Create General Properties Name: sta_resolver_ap Profile Type: All Customization Type: Modern Configure your desired Language settings and click Finished When returned to the previous page displaying all access profiles, select Edit from the newly created policy Between Start and Deny, select the + and then the “General Purpose” tab Select “Empty” and click Add Item Name: sessionexternal_sta_ticket Click the Branch Rulestab Click the Add Branch Rulebutton Name: External STA Ticket Click changenext to Expression: Empty Click the Advancedtab In the advanced field enter: expr {[mcget {session.external_sta_ticket}] == 1} Click Finished Click Save Click Apply Access Policy at the top left Once complete select Apply Access Policy and your VPE should look like the screenshot below Create a client SSL profile that contains the appropriate certificate, key, and chain. This configuration is beyond the scope of this article. A server SSL profile is not required as traffic between the ICA-GW and DDC does not use TLS. Creating a VDI Profile Navigate to Access››Connectivity / VPN : VDI / RDP : VDI Profiles and click Create New Profile Profile name: citrix_vdi Parent Profile: /Common/vdi Click OK Create STA ticket Extractor iRule Navigate to Local Traffic››iRules : iRule Listand click Create Name: StaTicketExtractor Definition: See iRule here: https://devcentral.f5.com/s/articles/Extract-Citrix-Secure-Ticket-Authority-STA Note: A Virtual Server name (sta-resolver-vs) is referenced in the command ‘set conn [connect "sta-resolver-vs"]’.This VS will be created further in the article. If the VS is created with another name, then the command in this iRule must be changed to match the name of the VS. Creating a Virtual Server for ICA Proxy Navigate to Local Traffic››Virtual Servers : Virtual Server Listand click Create Name: proxy-vs Type: Standard Destination Address/Mask: 10.1.10.115 Note: This will be the IP address available to external users attempting to access Citrix resources Service Port: 443 Protocol Profile: tcp HTTP Profile (Client): http SSL Profile (Client): citrix_client_ssl SSL Profile (Server): leave blank Source Address Translation: Auto Map Access Profile: sta_resolv_ap Click the + next to Connectivity Profile to create a new profile. Profile Name: proxy_conn Parent Profile: /Common/connectivity Click Ok VDI Profile:citrix_vdi iRules Highlight “StaTicketExtractor” and click the double left arrow button to move the iRule to the Enabled box Do not select a Default Pool or Persistence Profile Click Finished Create STA Ticket Resolver iRule Navigate to Local Traffic››iRules : iRule Listand click Create Name: StaTicketResolver Definition: See iRule here: https://devcentral.f5.com/s/articles/Resolve-Citrix-Secure-Ticket-Authority-STA Create a DataGroup to map STA server shortnames to the URL of the STA server Navigate to Local Traffic››iRules : Data Group Listand click Create Name: sta_dg Type: string Enter as many pairs of String:Value necessary for your environment. The String will be the STA server shortname; typically in the STA12345678 format although this is customizable in the Windows registry. The value is the URL of the STA server in the format: https://[FQDN]/scripts/ctxsta.dll. Check with the Citrix system administrator if the STA servers should be contacted via http or https. This guide was written for HTTPS Click Finished Creating a Virtual Server for STA ticket Resolution Navigate to Local Traffic››Virtual Servers : Virtual Server Listand click Create Name: sta-resolver-vs Note: This name must match the name referenced in the ‘set conn [connect "sta-resolver-vs"]’ command in the previously created “StaTicketExtractor” iRule Type: Standard Destination Address/Mask: 1.2.3.4 Note: This can be any dummy IP address Service Port: 80 Protocol Profile: tcp HTTP Profile (Client): http SSL Profile (Client): leave blank SSL Profile (Server): serverssl Source Address Translation: Auto Map Access Profile: sta_resolv_ap Connectivity Profile: proxy_conn VDI Profile:citrix_vdi iRules Highlight “StaTicketResolver” and click the double left arrow button to move the iRule to the Enabled box Do not select a Default Pool or Persistence Profile Click Finished This concludes the configuration of the F5 APM SF-GW Conclusion(link back to Top of page) And that’s it. When you connect to your StoreFront virtual server on the F5 APM SF-GW, you will be presented with an F5 APM login screen.Login with your AD (or other) credentials.This should SSO you into Storefront where you will be presented with applications assigned to your AD account or groups. When you click on an app or desktop, an ICA file is downloaded and automatically launched by the Citrix Connection Manager (Receiver).The SSLProxyHost line in the ICA file directs your client to the F5 APM ICA-GW defined in the StoreFront configuration. The ICA-GW reads the payload in the request and contacts the STA server for validation, and then your app/desktop should load.Citrix XenApp 5.0 Implementation Tips
I recently had the pleasure of working on a Citrix 5.0 implementation and I wanted to share a few things that I learned during that setup. As many of you know, there are two deployment guides that have been made available by F5 Networks in regards to setting up Citrix Presentation Server 4.5 in TMOS versions 9.x and 10.x. They are excellent guides and the best thing about them is that you can utilize those guides to assist you in deploying Citrix XenApp 5.0, with a few exceptions of course. Those exceptions are what I will be covering in this tech tip. Both of the previously mentioned deployment guides discuss editing files on the Citrix farms Web Interface servers so that it looks for the client IP address in the X-Forwarded-For HTTP header. Otherwise, every connection will appear to be originating from the BIG-IP LTM and not from its true IP. After reading both guides and looking at my current environment I was dismayed to find that the files and locations mentioned were no longer valid. I then turned to my top three resources on the web in the search for an answer: AskF5, DevCentral and Google. I struck out on the first two (which seldom happens) but my Google search did turn up some interesting results on the Citrix Forums. I finally found some code posted by Sam Jacobs back in August 2009 that modifies the way the Citrix farm looks up the client IP address. His method allows for the use of the X-Forwarded-For header. The first file that you will want to find and edit is the Include.java file. You will want to locate and change this file on every Web Interface XenApp server in the farm. Speaking from experience, save a copy of the original file to a safe location such as your desktop or flash drive. DO NOT copy the file and rename the original to Include.old and leave it on the server. It may sound crazy, but doing that will not work. I’m not a programmer, so I cannot tell you why that will not work, but I can tell you I know for a fact it will not. That being said, here is the file path for the Include.java file: “\Inetpub\wwwroot\Citrix\XenApp\app_code\PagesJava\com\citrix\wi\pageutils\Include.java” Now that you have found the file, open it up with a text editor (I use Textpad) and find the Java routine named “getClientAddress”. Replace the code for that routine with the code listed below. public static String getClientAddress(WIContext wiContext) { String ageClientAddress = AGEUtilities.getAGEClientIPAddress(wiContext); String userIPAddress = wiContext.getWebAbstraction().getRequestHeader("X-FORWARDED-FOR"); if (userIPAddress == null) { userIPAddress = wiContext.getWebAbstraction().getUserHostAddress(); } return (ageClientAddress != null ? ageClientAddress : userIPAddress); } Save the file and wash/rinse/repeat this step on every Web Interface server in the farm. The next thing that you will want to do is to modify the login page so that it displays the client IP address being obtained from the X-Forwarded-For header. The file you will want to edit is called “loginView.ascx” and can be found in the following file path on your Web Interface Servers: ”\inetpub\wwwroot\Citrix\XenApp\app_data\include\loginView.ascx” The code you will want to add is: Client IP: <%= com.citrix.wi.pageutils.Include.getClientAddress(wiContext) %> I added the code directly below the LoginPageControl viewControl line and it works well for me. Save the file and repeat this step on every Web Interface server in the farm and reboot each Web Interface Server after you are done. That’s it! Well, you do have to complete the other setup steps listed in the deployment guide that you are using, but after that your farm will be ready for business! I am aiming to develop some custom monitors for the Web Interface Server and for the XML Broker Servers over the next few weeks. Once I have those done I will put them out in the forums for the community enjoy. -naladarCitrix XenApp and XenDesktop
More and more organizations are using the BIG-IP system to secure, optimize, and scale their Citrix XenApp/XenDesktop deployments. Since the days when these applications were known as MetaFrame, F5 has been testing and tuning the BIG-IP system for Citrix implementations, and detailing the procedures first in our deployment guides, and now in our iApp templates for Citrix as well. Not only can the BIG-IP system act as a replacement for the Citrix Web Interface servers, but it can securely proxy Citrix ICA traffic using TCP optimization profiles which increase overall network performance for your application. You also have the option to configure the BIG-IP APM with smart card authentication or with two factor authentication using RSA SecurID. The following simple, logical configuration example shows one of the ways you can configure the BIG-IP system for Citrix Xen deployments. In this example, the BIG-IP APM Dynamic Presentation Webtop functionality is used to eliminate the need for the Citrix Web Interface StoreFront server tier. With BIG-IP APM, a front-end virtual server is created to provide security, compliance and control. The iApp template configures the APM using Secure ICA Proxy mode. In secure ICA proxy mode, no F5 BIG-IP APM client is required for network access. The BIG-IP system uses SSL on the public (non-secure) network and ICA to the servers on local (secure) network. See the deployment guide for more information. Seehttps://devcentral.f5.com/s/articles/citrix-vdi-iapp-templatefor information on using the iApp template to configure the BIG-IP system for Citrix. See https://f5.com/solutions/deployment-guidesto find the appropriate deployment guide for quickly and accurately configuring the BIG-IP system for Citrix XenApp/XenDesktop. If you have any feedback on these or other F5 guides or iApp templates, leave it in the comment section below or email us at solutionsfeedback@f5.com. We use your feedback to help shape our new iApps and deployment guides.In 5 Minutes or Less Video - BIG-IP APM & Citrix XenApp
Watch how F5 customers can now simply use BIG-IP Access Policy Manager or BIG-IP Edge Gateway to consolidate access control in a central location, keeping infrastructure administration concerns to a minimum. With BIG-IP solutions, customers enjoy the flexibility and scalability needed to extend Citrix applications to both local and remote users without changing local XenApp deployments or requiring STA to provide secure remote access to applications. Highlights of deploying Citrix and F5 technologies together include: Reduced Management Time and OpEx – By simplifying and centralizing local and remote access authentication, BIG-IP solutions eliminate the need for customers to add separate Citrix STA infrastructure or make changes to existing Web Interface servers, resulting in an environment that is less expensive to deploy and requires less time to manage. Simplified Configuration and Deployment – With BIG-IP solutions, administrators can support users of Citrix applications with fewer devices, configure deployments to support flexible access models, and easily scale the environment. This fully integrated functionality makes it quick and easy for customers to set up and deploy local and remote access capabilities for Citrix applications, keeping users productive. Centralized and Comprehensive Access Control – Unlike the separate Citrix products required to adequately support applications for remote users, BIG-IP solutions provide centralized application access control and use a single access policy to support all types of users securely, so IT teams can be confident that application access is aligned with the organizations’ specific business priorities and security policies. &amp;amp;amplt;/p&amp;amp;ampgt; &amp;amp;amplt;p&amp;amp;ampgt;ps&amp;amp;amplt;/p&amp;amp;ampgt; &amp;amp;amplt;p&amp;amp;ampgt;Resources:&amp;amp;amplt;/p&amp;amp;ampgt; &amp;amp;amplt;ul&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;http://www.f5.com/news-press-events/press/2010/20101214.html&quot; _fcksavedurl=&quot;http://www.f5.com/news-press-events/press/2010/20101214.html&quot;&amp;amp;ampgt;F5 Simplifies and Centralizes Access Management for Citrix Applications&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;downloads.f5.com&quot; _fcksavedurl=&quot;downloads.f5.com&quot;&amp;amp;ampgt;BIG-IP v10.2.1 Download (Log in required)&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;http://www.f5.com/products/big-ip/access-policy-manager.html&quot; _fcksavedurl=&quot;http://www.f5.com/products/big-ip/access-policy-manager.html&quot;&amp;amp;ampgt;BIG-IP Access Policy Manager&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;http://www.f5.com/products/big-ip/edge-gateway.html&quot; _fcksavedurl=&quot;http://www.f5.com/products/big-ip/edge-gateway.html&quot;&amp;amp;ampgt;BIG-IP Edge Gateway&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;https://www.youtube.com/user/f5networksinc&quot; _fcksavedurl=&quot;https://www.youtube.com/user/f5networksinc&quot;&amp;amp;ampgt;F5 YouTube Channel&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;/ul&amp;amp;ampgt; &amp;amp;amplt;table border=&quot;0&quot; cellspacing=&quot;0&quot; cellpadding=&quot;2&quot; width=&quot;325&quot;&amp;amp;ampgt;&amp;amp;amplt;tbody&amp;amp;ampgt; &amp;amp;amplt;tr&amp;amp;ampgt; &amp;amp;amplt;td valign=&quot;top&quot; width=&quot;200&quot;&amp;amp;ampgt;Connect with Peter: &amp;amp;amplt;/td&amp;amp;ampgt; &amp;amp;amplt;td valign=&quot;top&quot; width=&quot;123&quot;&amp;amp;ampgt;Connect with F5: &amp;amp;amplt;/td&amp;amp;ampgt; &amp;amp;amplt;/tr&amp;amp;ampgt; &amp;amp;amplt;tr&amp;amp;ampgt; &amp;amp;amplt;td valign=&quot;top&quot; width=&quot;200&quot;&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;http://www.linkedin.com/pub/peter-silva/0/412/77a&quot; _fcksavedurl=&quot;http://www.linkedin.com/pub/peter-silva/0/412/77a&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_linkedin[1]&quot; border=&quot;0&quot; alt=&quot;o_linkedin[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_linkedin.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_linkedin.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;https://devcentral.f5.com/s/weblogs/psilva/Rss.aspx&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/psilva/Rss.aspx&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_rss[1]&quot; border=&quot;0&quot; alt=&quot;o_rss[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_rss.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_rss.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://www.facebook.com/f5networksinc&quot; _fcksavedurl=&quot;http://www.facebook.com/f5networksinc&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_facebook[1]&quot; border=&quot;0&quot; alt=&quot;o_facebook[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://twitter.com/psilvas&quot; _fcksavedurl=&quot;http://twitter.com/psilvas&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_twitter[1]&quot; border=&quot;0&quot; alt=&quot;o_twitter[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/td&amp;amp;ampgt; &amp;amp;amplt;td valign=&quot;top&quot; width=&quot;123&quot;&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://www.facebook.com/f5networksinc&quot; _fcksavedurl=&quot;http://www.facebook.com/f5networksinc&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_facebook[1]&quot; border=&quot;0&quot; alt=&quot;o_facebook[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://twitter.com/f5networks&quot; _fcksavedurl=&quot;http://twitter.com/f5networks&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_twitter[1]&quot; border=&quot;0&quot; alt=&quot;o_twitter[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://www.slideshare.net/f5dotcom/&quot; _fcksavedurl=&quot;http://www.slideshare.net/f5dotcom/&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_slideshare[1]&quot; border=&quot;0&quot; alt=&quot;o_slideshare[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_slideshare.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_slideshare.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;https://www.youtube.com/f5networksinc&quot; _fcksavedurl=&quot;https://www.youtube.com/f5networksinc&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_youtube[1]&quot; border=&quot;0&quot; alt=&quot;o_youtube[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_youtube.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_youtube.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt;&amp;amp;amplt;/td&amp;amp;ampgt; &amp;amp;amplt;/tr&amp;amp;ampgt; &amp;amp;amplt;/tbody&amp;amp;ampgt;&amp;amp;amplt;/table&amp;amp;ampgt; &amp;amp;amplt;p&amp;amp;ampgt;Technorati Tags: &amp;amp;amplt;a href=&quot;http://technorati.com/tags/F5&quot; _fcksavedurl=&quot;http://technorati.com/tags/F5&quot;&amp;amp;ampgt;F5&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/in+5+minutes&quot; _fcksavedurl=&quot;http://technorati.com/tags/in+5+minutes&quot;&amp;amp;ampgt;In 5 Minutes&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/integration&quot; _fcksavedurl=&quot;http://technorati.com/tags/integration&quot;&amp;amp;ampgt;integration&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/bigip&quot; _fcksavedurl=&quot;http://technorati.com/tags/bigip&quot;&amp;amp;ampgt;big-ip&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/Pete+Silva&quot; _fcksavedurl=&quot;http://technorati.com/tags/Pete+Silva&quot;&amp;amp;ampgt;Pete Silva&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/security&quot; _fcksavedurl=&quot;http://technorati.com/tags/security&quot;&amp;amp;ampgt;security&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tag/business&quot; _fcksavedurl=&quot;http://technorati.com/tag/business&quot;&amp;amp;ampgt;business&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tag/education&quot; _fcksavedurl=&quot;http://technorati.com/tag/education&quot;&amp;amp;ampgt;education&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tag/technology&quot; _fcksavedurl=&quot;http://technorati.com/tag/technology&quot;&amp;amp;ampgt;technology&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/application+delivery&quot; _fcksavedurl=&quot;http://technorati.com/tags/application+delivery&quot;&amp;amp;ampgt;application delivery&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/citrix&quot; _fcksavedurl=&quot;http://technorati.com/tags/citrix&quot;&amp;amp;ampgt;citrix&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/cloud&quot; _fcksavedurl=&quot;http://technorati.com/tags/cloud&quot;&amp;amp;ampgt;cloud&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/context-aware&quot; _fcksavedurl=&quot;http://technorati.com/tags/context-aware&quot;&amp;amp;ampgt;context-aware&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/xenapp&quot; _fcksavedurl=&quot;http://technorati.com/tags/xenapp&quot;&amp;amp;ampgt;xenapp&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/automation&quot; _fcksavedurl=&quot;http://technorati.com/tags/automation&quot;&amp;amp;ampgt;automation&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/web&quot; _fcksavedurl=&quot;http://technorati.com/tags/web&quot;&amp;amp;ampgt;web&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/video&quot; _fcksavedurl=&quot;http://technorati.com/tags/video&quot;&amp;amp;ampgt;video&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/blog&quot; _fcksavedurl=&quot;http://technorati.com/tags/blog&quot;&amp;amp;ampgt;blog&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/F5+APM&quot; _fcksavedurl=&quot;http://technorati.com/tags/F5+APM&quot;&amp;amp;ampgt;APM&amp;amp;amplt;/a&amp;amp;ampgt;&amp;amp;amplt;/p&amp;amp;ampgt;&amp;amp;amplt;/body&amp;amp;ampgt;&amp;amp;amplt;/html&amp;amp;ampgt; ps Resources: F5 Simplifies and Centralizes Access Management for Citrix Applications BIG-IP v10.2.1 Download (Log in required) BIG-IP Access Policy Manager BIG-IP Edge Gateway F5 YouTube Channel
Totally Unscientific SDN and Cloud Survey Results
#SDN #Cloud #F5 #agility2013 #SDDC #devops We did some question asking during SDN sessions at F5's Agility conference. Here's what we discovered about ... everything that's a buzzword Before you get any further, let me reiterate - these are totally unscientific and the sample size is rather small as it was taken from two sessions at the conference focusing on SDN and application services. The good news is that the results pretty much mirror every other survey and research with respect to devops, cloud, and SDN. One of my favorite questions is to determine whether cloud is being adopted because it makes sense or because it's a mandate from on high. As expected, the majority (62%) of respondents indicated the adoption of cloud in their organization was... a company mandate. Some interesting points I pulled out specifically around current data center initiative priorities: 25% of respondents are migrating to a devops model of application deployment 50% of respondents are incorporating SaaS offerings into solutions sold by the organization 65% of respondents are focused on implementing a software defined data center (SDDC) using virtualized resources Despite all the hype around mobile applications, only 20% of respondents have a mobile "first" strategy for applications and infrastructure When looking at responses with regard to private cloud deployments: 24% say a full service deployment is in place 17% of respondents have a pilot deployment in place 19% of respondents are putting plans together with no solid timeline for deployment Only 12% had no plans at all for private cloud Of the popular private cloud platforms: 86% indicated they were using VMware 22% are adopting OpenStack 11% have elected to use CloudStack And of course the one you've been waiting for: SDN A whopping 41% have no plans to deploy SDN 36% of respondents are putting plans together but have no solid timeline for deployment A somewhat surprising 10% of respondents have a pilot SDN deployment in placeAPM Citrix Client Bundle for StoreFront 2.6 HTML5 Receiver
If you're using Citrix StoreFront 2.6 and following the Citrix-VDI-iApp 2.0.0 deployment guide you may run into a snag while creating the Citrix Client Bundle for HTML 5 support (on page 45). In StoreFront 2.6 the Citrix HTML5 Receiver is no longer a standalone MSI file but is now bundled into the StoreFront 2.6 executable. This post will walk you through the process of extracting the HTML5 Receiver MSI to get you past this snag. Open 7-Zip File Manager (or your prefered product) Select the CitrixStoreFront-x64.exe file and then Open Inside (Ctrl+PgDn) Select the Html5Client.zip file and then Open Inside (Ctrl+PgDn) Select the template folder and the Open Inside (Ctrl+PgDn) Select the HTML5Installer.msi and Click the Extract button Now that we have the MSI file you can proceed with the steps in the iApp deployment guide (page 45 if you forgot where you left off).Real Synergy: F5 and VMware
#VDI Faster deployments, lower costs, better productivity. Among the many buzzwords associated with marketing like "agile", synergy is often used to promote the notion of increasing overall IT and business effectiveness through the collaboration of one or more systems or organizations. Like legends and myths, the notion of synergy is based on truth. But that truth is often hard to find, as it relies on being able to measure what has been, in the past, sometimes difficult to measure. While it's always been easy to measure the effectiveness of system-level optimization in terms of TCO, it's been less the case that we could measure productivity. The advent of the programmatic data center is enabling the measurement of this somewhat nebulous metric and provides the insight necessary to compare just which systems, when paired together, is truly synergistic. Principled Technologies recently conducted detailed testing to compare the synergy between F5 and VMware and a Citrix-Citrix solution for delivering VDI. In addition to the expected optimization benefits of an ADC when deployed with a VDI solution such as VMware Horizon View and Citrix XenDesktop, researchers also dug into the operational aspects of such a deployment. With IT tasked to deliver solutions faster and more efficiently - or face the reality of shadow IT as an alternative - the speed with which operations can deploy applications and the systems that deliver them is increasingly important to the overall effectiveness, and total cost, of such initiatives. The report covers the deployment of application delivery controllers in conjunction with an enterprise VDI solution, including evaluation of operational and architectural efficiency. Architectural efficiency is critical because enterprise VDI deployments require more than one connection server to provide high availability and the performance demanded by end-users. Multiple connection servers architecturally requires a load balancing service as well as access control, single sign-on and protocol proxy capabilities to ensure anticipated productivity gains are not negated by additional sign-on processes or decreased application performance. The measure of success is how well the load balancing service can optimize the architecture to use the least number of connection servers to support the highest number of concurrent users without impacting performance or stability. Using the SSL offload capabilities of an ADC further improves architectural efficiency and lowers total costs by reducing the computational load on VDI connection servers, enabling organizations to support more users with fewer resources. Principled Technologies found that a combined F5-VMware Horizon View solution provides a more cost effective, simpler and faster deployment for VDI than a comparable Citrix XenDesktop and Netscaler solution. The report compared the operational efficiency of deploying both solutions, finding an F5-VMware deployment at just less than half an hour to be three times faster than the comparable Citrix deployment. The use of F5 iApps contribute to this operational efficiency and ensures consistent, repeatable results. Costs, too, are 15.7% lower with a joint F5-VMware solution because of the resulting architectural efficiency. Within the report you can find a detailed analysis of the operational gains achieved from an F5-VMware solution including step-by-step deployment metrics and configuration details. You'll also find a comprehensive explanation of the cost analysis and how the evaluation was conducted. Additional Resources: F5-VMware TCO Report VMware EUC and F5: There are Three S's In Success(ful VDI Deployments) VMware BlogF5 Synthesis: Tons and Tons of (Virtual) Options
#virtualization #cloud #sdas The release of Synthesis 1.5 brings more virtual edition options to the table. Most organizations are in transit between running a traditional data centers and managing a more flexible, cloud-enabled model. Their transformation continues to follow some fairly standard phases of adoption ranging from initial virtualization efforts to automation and finally hybrid environments. Each phase of this transformation brings with it new (and additive) benefits. From simplification of network architecture to scalability and on-demand capacity to the flexibility of deployment options, the transformation is certainly one most have determined to affect upon their business and the IT organization that supports (and enables) it. Pre-requisites abound, however. After all, without the availability of virtualization platforms we may not be on this transformation train at all. Cloud had to exist, too, before we could set it upon a pedestal and call it our ultimate goal. In between there are also pre-requisites; pre-requisites that enable organizations to continue on their transformation travels from virtualization to cloud computing (relatively) uninterrupted. One of those requirements is that more than application server infrastructure support virtualization. Virtualization of network and application services is critical to enabling organizations to reach their intended goals. That means vendors like F5 must not only support virtualization, but support it broadly. After all, there are a lot of hypervisors and cloud environments out there that organizations can choose to adopt. There are also a wide variety of needs in terms of capabilities (throughput, connection capacity, etc...) that need to be available to ensure every application (no matter how big or how small) is able to take advantage of the application services they need to successfully execute on their intended purpose. F5 Synthesis High Performance Services Fabric: Virtual Options One of the tenets (or principles, if you prefer) of technologies like cloud and SDN are that they essentially abstract resources in such a way as to present a unified (commoditized, really) "fabric" on which services can be deployed. Network fabrics serve up network services and application service fabrics serve up, not unsurprisingly, application services. F5 Synthesis Services Fabric leverages a common platform to enable this abstraction. The underlying resources can come from F5 hardware (appliances or its VIPRION line of chassis), software or virtualized systems (data center hosted hypervisors or in the cloud). Supporting our own hardware is obviously pretty easy. Supporting the broad set of hypervisors and software options, however, can be a bit trickier. Not just for F5, but for any traditionally hardware-bound solution. But organizations desire - nay, they demand - the flexibility of being able to rapidly deploy more capacity for services, which implies the need for more resources. Often times these may be temporary resources, or cloud resources, and that pretty much requires a software or virtualized form factor approach. But not only does it require support for a variety of hypervisors and software platforms, it also requires different capabilities. After all, adding a new department-level application and its related services is likely to consume a far different set of resources than launch the corporate flagship application. To meet both these requirements and ensure the most flexible set of options, F5 has recently added new performance tiers and hypervisor support for its VE (virtual edition) form factor. All F5 application services are available in a VE form factor and can deployed today even if your entire Synthesis Services Fabric is built on virtual editions. The flexibility afforded by F5 Synthesis' broadest hypervisor and platform support ensures organizations can continue to transform their data centers whether the end goal is pure cloud, hybrid cloud, or just a highly virtualized and automated set of systems. Wherever organizations are today - and wherever they are ultimately going - they can rest assured F5 can support their applications' need for services, no matter how big or how small they might be. For more information on Synthesis: F5 Synthesis Site More DevCentral articles on F5 SynthesisF5 Friday: Doing VDI, Only Better
#F5 does #VDI, and it does it better. There are three core vendors and protocols supporting VDI today. Microsoft with RDP, Citrix with ICA, and VMware with PCoIP. For most organizations a single vendor approach has been necessary, primarily because the costs associated with the supporting network and application delivery network infrastructure required to deliver VDI with the appropriate levels of security while meeting performance expectations of users and the need to maintain high availability. It’s a tall order that’s getting taller with every mobile client introduced, especially when you toss in a liberal dose of enforcing policies regarding access to virtual desktops. Most folks are well aware of F5’s long history of deep integration with its partners Microsoft and VMware. Whether it’s integrating with management systems or designing, testing, and documenting the often times complex joint architectures required to deliver enterprise-class applications like SharePoint and Exchange or building out a dynamic data center model to support cloud computing , F5 works in tandem with its partners to ensure the best experience possible not only for the ultimate consumers but for the IT operations folks who must deploy the solutions. But what most folks aren’t likely as aware of is F5’s commitment and expertise to delivering Citrix VDI as well. That’s natural. After all, Citrix competes with F5 at the application delivery tier and it might seem natural to assume that Citrix could deliver its own technology better than any competitor. But that assumption ignores that F5’s core focus has been and continues to be unified application delivery rather than applications – like VDI - themselves. That unified is in bold because it’s a key factor in why F5 is able to deliver all VDI solutions better, faster, and more efficiently than any other solution today. See, F5’s approach since introducing v9 and its platform has been about the integration of application delivery services. Whether those services reside on the same physical (or virtual) platform is not as important as the integration and collaboration between those services that is made possible by being designed, developed, and ultimately deployed on a common, high-speed, high-security application delivery platform. Consider, for example, the case of a comprehensive Citrix VDI delivery solution: That’s a lot of components, each of which adversely impacts performance and increases operational risk by adding additional complexity and components to the architecture. That’s ignoring the cost, as well, added by not only the need to deploy these solutions but to power them, manage them, and maintain them over time. It’s costly, it’s complex, and it’s ultimately not very extensible. Authentication, for example, must be managed in multiple locations, which increases the risk of misconfiguration or human error, and makes it more likely that orphaned identities will be left behind, always a concern as it creates an opportunity for a breach. This solution also requires manual scripting to integrate the disparate authentication sources, yet another tedious, manual and error-prone process. Now consider the same solution, but leveraging F5 and its platform with BIG-IP Local Traffic Manager and BIG-IP Access Policy Manager deployed: Consolidated (and integrated) authentication. Highly extensible policy management and enforcement, and we’ve eliminated the Web Interface Servers (and NetScalers, but as we’ve replaced them with BIG-IP that’s more of a wash than a win). But it’s not just about reducing the complexity (and ultimately the cost) of such a deployment. BIG-IP LTM and APM can simultaneously support Microsoft and VMware VDI while delivering Citrix VDI – as well as a host of other applications. F5’s solution isn’t a VDI delivery solution, it’s an application delivery solution with support for all VDI implementations and protocols. That includes Citrix Session Reliability to session roaming and reconnection as well as SmartAccess filters. F5 BIG-IP APM can populate SmartAccess filter values based upon any information discovered using VPE(source IP address, AV presence, client certificate presence, etc.) and pass them to the XML broker for evaluation. And let’s not forget about Citrix Multi-Streaming, which to give Citrix credit where due is an innovative solution to the problem of traffic prioritization in VDI delivery. If you aren’t familiar with Multi-streaming, it was introduced in XenDesktop 5.5 & XenApp 6.5 and uses multiple TCP connections (aka Multi-Stream ICA) to carry the ICA traffic between the client and the server. Each of the connections is associated with a different class of service, which allows the network administrator to prioritize each class of service, independently from each other, based on the TCP port number used for the connection. F5 supports Multi-Streaming and has for some time now. No worries. Then there’s VMware PCoIP – which can be challenging, especially when paired with DTLS for security. F5 has that covered, too, as well as its long-term support for optimal delivery of Microsoft-based solutions including its broad set of VDI solutions . I know, you’ve heard configuring F5 BIG-IP is hard and cumbersome. Well, in the past that may have been true but the introduction of iApp with BIG-IP v11 has changed that tune from a dirge to a delightful melody. iApp deployment templates and accompanying deployment guides for XenApp and XenDesktop make deploying BIG-IP painless and far less error-prone than manual processes. One of the drawbacks of VDI architectural complexity is it often presents itself as a single-vendor solution – and a reason for a single vendor virtualization strategy. If your application delivery and access management solution is capable of unifying access while delivering secure, highly performing, very available of any flavor, you’d have more of a choice in what your overall architecture would look like. That kind of choice is enabled through flexibility of the underlying application delivery network infrastructure, which is exactly the role F5 plays in your data center. If your application delivery solution is a flexible platform and not a product, then your network becomes an enabler of architecture and choice rather than being the limiting factor. VDI Resources: Updated Citrix XenApp/XenDesktop APM Template Citrix XenApp/XenDesktop Combined Load-balancing iApp VMware View 5 iApp Template Delivering Virtual Desktop Infrastructure with a Joint F5-Microsoft Solution Optimizing VMware View VDI Deployments F5 Friday: A Single Namespace to Rule Them All (Overcoming VMware Pod Limitations) F5 Friday: Cookie Cutter vApps Realized (Overcoming IP address dependencies to enable application mobility) More Users, More Access, More Clients, Less Control WILS: The Importance of DTLS to Successful VDI From a Network Perspective, What Is VDI, Really? Scaling VDI Architectures VMworld 2011: F5 BIG-IP v11 iApps for Citrix
