Citrix HTML5 client does not work (CTX134123 error)
I’m struggling getting to connect our Citrix 7.13 XenApp and XenDesktop farm through the BIG-IP using Citrix’s HTML5 receiver I’m new to the F5 BIG-IP. I can connect to the virtual server on the BIG-IP from within our internal network just fine! I can log on, my desktop is opened and all applications are available and I can start them all. But whatever I do, when I start the session (HTML5 client) from the internet (home PC) I can log on but immediately get the message: ‘Citrix Receiver cannot create a secure connection in this browser. Please refer to Citrix Knowledge Center article CTX134123’. I do see all available applications, but when I try to start one of them I get the same error. The Citrix article does not offer help. I think some kind of network traffic isn’t working through the BIG-IP (because I don’t see this problem when I connect from the internal network) I’ve implemented the iApp using with most default settings, except: In general: No, do not proxy ICA traffic and authenticate users with the BIG-IP In Virtual Server for Web Interface or StoreFront servers: Terminate SSL for clients, re-encrypt to Citrix servers (SSL bridging) The ip address that clients will use is the external ip BIG-IP (virtual Server) address The Citrix environment uses StoreFront 3.0 BIG-IP virtual servers are on the same subnet as the StoreFront servers In Virtual Server for XML Broker or Desktop Delivery Controller (DDC) Servers: BIG-IP virtual server in relation to your XML Broker or DDC servers? Same subnet for the virtual server and the XML Broker In ICA Traffic: How will ICA traffic travel between the clients and the ICA servers? BIG-IP system acts as gateway (router) to the ICA server network Which VLANs should accept ICA traffic? ICA traffic is allowed from all VLANs I'v implemented the citrix html5 client bundle on the BIG-IP Any help you can offer will be greatly appreciated! Kind regards, Paul
Citrix ICA proxy session disconnect controll problem
Hi Everyone, Quick overview of what I am trying to accomplish. To start, I have very limited experience with ICA proxy and just getting more familiar with it now. So, we have Citrix XenApp environment used for desktop application delivery for remote client. We do have a working environment(Big-IP 10.2.4 LTM, APM), however, client requested a change in application delivery configuration. Now client requested that in the event of dropped internet connection Citrix Receiver session to be disconnected on XenApp end after 60 seconds of idle time. So, I have reconfigured the timeout on backend and tested everything locally, where I was able to achieve desired result. I would launch the application and then disconnect network cable from the desktop running Citrix Receiver. As expected, the session would get dropped in XenApp console after 60 seconds exactly. Again, all of that works connecting everything directly, bypassing the Load balancer. However, when going through ICA proxy, when I pull the network cable the session does not die for 7 and a half minutes. I have tried to make changes to the TCP WaN and Lan profiles utilized by ICA proxy by changing idle timeout values to 60 seconds but all without any success. Session, would not get disconnected for 7,5 minutes no matter what I do. Please, help me to understand why I am not able to control session timeout and what I am doing wrong. I have a suspicion that when I pull the cable, client side connection does indeed die and gets dropped, but on server side it stays alive. If that is the case I might need an iRule to kill the server side connection once client side connection dies. Please, help me to understand...
Receiving error when connecting to Citrix Receiver for external use.
I am more of Citrix person, than F5, but we are trying to deploy Citrix Receiver to all domain based endpoints. We are using Xendesktop 7.6 and StoreFront 2.6.0.5031 with a single FQDN Certificate. Internally works fine using Receiver for Web and Citrix Receiver GUI - SSO. However externally won't work correctly with Citrix Receiver, but works fine with Receiver for the Web with Pass-through. We have an F5 and are using the latest iApp. We are using the icaclient ADM Template for all domain based machines and have setup Storefront Account to https://storefront.company.com/Citrix/Store/discovery;on;Description (example). We enabled pass-through authentication = Enabled, Allow pass-through authentication for all ICA connections = Enabled in the GPO. The error we receive in Citrix Receiver when trying to refresh apps externally is "Your apps are not available at this time. Please try again in a few minutes or contact your help desk with this information. Cannot contact (store). It appears its not communicating back to the F5 at all. Citrix mentions its something not configured correctly on the F5 and they can't support it. I am curious if anyone else has run into the issue and how to fix? Let me know if you need more information. Thanks!Two-factor authentication for Citrix Receiver for Windows
I have deployed F5 APM with two-factor authentication. APM is currently replacing the Web Interface / Storefront servers. Two-factor authentication is confirmed working for the Webtop, Citrix Receiver for Mac, Citrix Receiver for iOS and Citrix Receiver for Android. My issue is that Citrix Receiver for Windows doesn't appear to have the necessary options to select the Logon type of "Security token only" or "Domain and security token" like the Receiver for other OS's do. I suspect that Citrix Receiver for Windows requires some kind of configuration push from the server (which in my case is APM). Has anyone else experienced this issue or have any ideas?Citrix ADC to F5 BIG-IP migration
You can use the free Citrix course eCNS-2017 under the training citrix site to do the reverse migration. They also have many CTX articles for irule to policy migration that can also be used for the reverse policy to irule/Local Traffic Policy. It will be nice if F5 also makes a migration tool as there is an unofficial script that is old https://devcentral.f5.com/s/articles/citrix-netscaler-to-f5-big-ip , so some official migration tool will be nice.
Citrix access using SAML
Is it possible to perfom SSO into CItrix when AZURE SAML to authenitcate to the F5. All the docs, guides or bits and pieces I have found that reference passwordless envolves using smartcard. I have seen some references pointing to an additional SAML connection to the storefront but everything I have found seems to be pretty vague. Any tips, guidance, references would be gratly appreciated.
F5 APM - SAML Auth with Citrix Workspace App
Hello, I have configured SAML auth with AzureAD with APM and storefront web interface with no issues. Im wondering if anyone has tried getting the local receiver/workspace app to work? It looks like the local client now supports SAML auth coming from a netscaler, however not sure if APM can trigger the app to redirect it to Azure to login.citrix storefront + smart access + apm
Does anyone have this working? I'm trying to get smart access policies to work with StoreFront 2.6 using the v2.2 of the citrix iApp...and every possible configuration I've tried does NOT work. I've followed the guide step by step. F5 support has not responded to me for weeks. I've verified this configuration works with Netscaler and the smart access also works from the same F5 device utilizing the webtop instead of storefront...I've also verified the variables are being set by APM...it's just not passing through to storefront...Replacing Citrix Secure Gateway with LTM/APM?
Currently we have a number of sites that have downstream Citrix Secure Gateways that sit infront of the Citrix Web Servers and inturn infront of the various downstream delivery controllers. As it stands, im looking to slowley ease the LTM/APM functionlity infront of the SG. Currently the SG proxes the ICA traffic within a HTTPS tunnlel , we simply expose TCP443 out to the WWW via LTM and setup the Citrix SG as a pool member; Client via WWW --> (x.x.x.x:TCP443) F5 LTM (SNAT x.x.x.y) --> (a.a.a.a:TCP443) Citrix Secure Gateway --> (a.a.a.b:TCP80)Citrix Web Interface Whilst it would seem that it should be quite easy to simply replicate the funcionality of the SSL offload that the Citrix SG does, it appears that it nativly handles the ICA proxy aswell.. from my research the 'proxying' is far less graceful than the Citrix doco would make it seem, i believe from my reading on various forums that it simply forces ICA traffic down TCP443.. and as ICA is not HTTP compliant traffic .. it causes issues with LTM (i.e. as soon as the desktop session launches.. it crashes). I found some interesting and ingenius iRule scripts that look for various aspects of the SSL handshake.. and .. if they are not present then assume its ICA and then dont enforce HTTP complicance but i couldnt seem to get them to function. Looking at F5 doco the claim is that you need APM to enable ICA proxying (remember im not trying to abstract auth) just replace the Citrix SG role. Under the VS configuration on on LTM (when you have the APM license installed) a config tickbox called 'Citrix & Java Support' becomes avaliable... no idea what its job is Citrix & Java Support - { Enable this check box if you want to provide connections to Citrix desktop resources or to support connections from Java applications.} All im really looking is remove the need for the Citrix Secure Gateway component so i assume i need to repliacte this fucntionality 1_ offload the SSL processing and be able to pass additional HTTP headers downstream (like XFF for example) 2_ allow ICA traffic to be rammed down the TCP443 listener (if that is infact how ICA is 'proxied') Has anyone else achieved this?
