F5 APM - SAML Auth with Citrix Workspace App
Hello, I have configured SAML auth with AzureAD with APM and storefront web interface with no issues. Im wondering if anyone has tried getting the local receiver/workspace app to work? It looks like the local client now supports SAML auth coming from a netscaler, however not sure if APM can trigger the app to redirect it to Azure to login.
source IP and source Port persistence using irule - Citrix - (carp vs uie)
Hi, We ran into an issue of uneven load-balancing due to using citrix. Clients end up using the same IP so we decided we need to start load-balancing using the source port as well. I have done my homework and search around until I came across multiple solutions of either to use uie or carp. I have multiple questions hopefully I will get answers for. I understand carp doesn't have a timeout so that leads to a question is it better to use in this situation? Also we are leaning towards load-balancing using the least connections. Would each algorithm limits to a specific load-balancing method? Per my irule below I don't add persist assuming it is done automatically. am I wrong with that assumption? Should I be adding each successful persistence records? what would be the best way to test such an implementation? Here is the irule I'm about to implement. when CLIENT_ACCEPTED { set client_ip_port "[IP::client_addr]:[TCP::client_port]" if {[TCP::client_port] and [IP::client_addr] !=0} { persist carp $client_ip_port } }
APM IdP SAML config for sharefile
Hi all, we try configuring a SAML config with an F5 SAML guide. Our system should have F5 as a SAML IdP and sharefile.com as SP. Does anyone has expirience with this architecture? What we already have: F5 APM config: EntidyID: https://auth.customer.com binded SP Entidy: https://serviceat.sharefile.com/saml/info Assertion Consumer Service URL: https://serviceat.sharefile.com/saml/acs Sharefile config: Sharefile Issuer: https://serviceat.sharefile.com/saml/info IdP Issuer: https://auth.customer.com Login URL: https://auth.customer.com/saml/idp/profile/redirectorpost/sso Logout URL: https://auth.customer.com/saml/idp/profile/post/sls When the user tries to login on sharefile, he will be redirected to the F5 APM Login Page; after successful Login, the URL https://auth.customer.com/saml/idp/profile/redirectorpost/sso?SAMLRequest=blablabal.... is requested via GET, but there we didn't get any response. - so no redirect to the Consumer Service of Sharefile can be seen. With the SAML tracer I can see the request to the F5: https://serviceat.sharefile.com/saml/info urn:oasis:names:tc:SAML:2.0:ac:classes:Password Does anyone have an already running SAML configuration like this or has any hints, what we are doing wrong here? It seems to me, that the APM doesn't listen to the requested URL. Thanks in advance, Philipp
citrix with NAT, possible?
I'm trying to have the following environment working: APM app publishing for XenApp 6.5 2 XML broker and 2 ICA servers the citrix environment is in a vCould with NAT. BIGIP sees the NATed addresses of all servers. The broker part is working well as I get the apps publish on the webtop. The issue is when the receiver starts and the APM gets the XML file for app connection, we see inside that file following entries that are problematic :1494 [...] :443 [..] The result is that packet trace for the Receiver to APM shows only a couple of TLS handshakes without app data, then the APM terminates them. The receiver puts an error "network issue" (not SSL, as we have fixed all certificate/SSL issues previously). I guess it's because it cannot interpret/rewrite that XML file. We must use NAT because of vCloud/topology and I'm stuck here. Any idea? Thanks! AlexandreXenApp 6.5 with Kerberos Auth and CIFS-Windows Shares
I have been having difficulties with this issue for some time and I am hoping that someone can shed some light on it. All information in this post will be from my test bed environment, however the same issue is occurring in our live development environment. We are running 11.5.1 HF5 and so far I have been able to get Kerberos authentication working in order to access my published Citrix Applications with APM proxying all ICA traffic and replacing the Citrix Web Interface. The issue comes in when once a published app is launch, for example Notepad, I am then unable to access any mapped drives or other CIFS-Windows shares using Kerberos and instead I am asked for my Username and Password. I have been mostly following this thread to get to where I currently am as I have a similar scenario: F5 BigIP LTM 6900 In my testbed I have one Domain Controller, one server called XML1 which is my XenApp server and one server called WB1 which is where I had the Citrix Web Interface when I was trying pass-through authentication along with where I created the shared folder I am trying access through my Citrix apps. All servers are Windows 2008 R2, domain level is set to 2003. Our clients are not joined to the domain but I have a valid method of locating the right user using a APM AD query. In my testbed I have one Domain Controller, one server called XML1 which is my XenApp server and one server called WB1 which is where I had the Citrix Web Interface when I was trying pass-through authentication along with where I created the shared folder I am trying access through my Citrix apps. All servers are Windows 2008 R2, domain level is set to 2003. Our clients are not joined to the domain but I have a valid method of locating the right user using a APM AD query. My mapped drives are in both \\servername\share and \\fqdn\share forms. Would appreciate any help I can get, SheighOptimizing application delivery with F5 Secure ICA proxy
F5's Secure ICA proxy solution on APM/EDGE is over a year old now, and has been successfully deployed at many of our customers. Besides the simplicity and ease of administration it provides, F5 customers are looking for more value and want to make sure that the solution they implement can provide the fastest deliver of Citrix XenApp and XenDesktop to the remote users. In one scenario, we've found that leveraging the following TCP profile on the APM ICA proxy virtual can drastically improve performance of applications where large data transfers are happening between the client and the XenApp/XenDesktop farm. This profile was tested in a typical WAN scenario with client connecting over T1 on a 200 ms link with 0.5-1% packet loss. In this scenario, F5 ICA proxy was able to maintain almost full bandwidth throughput(close to 1.5 Mbits/sec on the ICA connection, which was more than 2x improvement over throughput with regular TCP stack. This is the snippet of the TCP profile configuration from bigip.conf profile tcp optimized_xenapp_wan { defaults from tcp-lan-optimized reset on timeout enable time wait recycle enable delayed acks disable proxy mss disable proxy options disable deferred accept disable selective acks disable dsack disable ecn disable limited transmit disable rfc1323 disable slow start disable bandwidth delay disable nagle disable abc enable ack on push enable verified accept disable pkt loss ignore rate 0 pkt loss ignore burst 0 md5 sign disable cmetrics cache enable md5 sign passphrase none proxy buffer low 98304 proxy buffer high 131072 idle timeout 300 time wait 2000 fin wait 5 close wait 5 send buffer 65535 recv window 65535 keep alive interval 1800 max retrans syn 4 max retrans 8 ip tos 0 link qos 0 congestion control scalable zero window timeout 20000 } If you are running or deploying F5 Secure ICA proxy solution, we encourage you to try this tcp profile and see if it improves ICA performance in your environment as well. Any and all feedback will also be greatly appreciated.
rewrite iRule
How to write the below iRule if I want to use the two events together ? event&Condition: when CLIENT_ACCEPTED { Client IP:[IP::client_addr] equals 10.0.0.0/8 } when HTTP_REQUEST { if { [string tolower [HTTP::header User-Agent]] contains "/Firefox" or "/Chrome" or "/Opera" or "/safari" } Action The action is to rewrite the URI. -reqUrlFrom "https://www.f5.com/citrix/wwl_prodweb/" -reqUrlInto "https://www.f5.com/citrix/wwl_prodwebExplicit/" Any help would be highly appreciated !
f5-lbaasv-1.0.10 agent configuration to test single tenant f5 lbaas with openstack
I am trying F5 LBaaSv1 VERSION 1.0.10 driver and agent to provision the pool,vip and pool member into bigip ltm 11.6 VE launched as openstack vm. Here are below steps i have followed. 1. launched bigip ltm vm with 3 interfaces. 2. interface eth0 is management interface . 3. I performed below steps from UI of bigip vm and datapath work for lbaas. 3.1.SNAT Creation SNAT is created with following configuration. Translation Automap Origin All Ipv4 addresses VLAN / Tunnel Traffic ALL 3.2. Created 2 vlan Untagged tunnel. Internal : Interface 1.1(eth1) with ip 51.0.0.4 is for internal network(network b/w pool member and bigip vm) External : Interface 1.2(eth2) is with ip 61.0.0.4 for vip (external network) 3.3 Created 2 selfip selfip 51.0.0.4 created for internal tunnel selfip 61.0.0.4 created for external tunnel 3.4. Created virtual server with destination ip 61.0.0.4. 3.5. Created pool and added 2 pool member (51.0.0.9, 51.0.0.10) 3.6. Launched vm on 61.0.0.0/24 network address and sent curl request to vip 61.0.0.4 and datapath work. Now i want to provision above steps with f5-oslbaas-agent,agent run with f5-oslbaasv1-agent.ini,That has many configurable options,which are the option i need to fill to test single tanant f5lbaas.Any thoughts on this??
source address & source port persistence
Hi ! I have a virtual server that has a pool of 3 Citrix Secure Gateway servers. The VIP is FASTL4, with source address persistence and least conections LB. I would like to implment an irule that provides us with source address & port persistence, and after doing some research I found this sample: when CLIENT_ACCEPTED { if {[TCP::client_port] and [IP::client_addr] !=0} { persist uie "[IP::client_addr]:[TCP::client_port]" } } However, I have some doubts... The traffic is ICA over SSL, and the SSL offload is done at the Gateways, not at the F5. Does this represent a problem? What TCP profile would I need to set my VIP to in order to make the irule work? Thanks! Fabian
Where is the "settings" functionality for APM Citrix?
In the Citrix Netscaler there is a section where the user can configure the behavior of the Citrix connection ie: Settings Cancel Save General Configure settings that are applied across the whole Web site Show Hints (Full Graphics only) Logon behavior Logoff behavior Log off all sessions Context-sensitive Help Logoff action Log off all sessions Select this option to shut down all your currently active resources when you log off from the Web site. If you clear the check box, any active resources continue to run when you log off. Note: This setting applies to online resources only; that is, resources that are hosted on a remote server. Offline applications always continue to run when you log off from the Web site. Configure the behavior of the Reconnect button Reconnect: Select the sessions to reconnect: Context-sensitive Help Reconnect sessions Select this option to enable the Reconnect button. Specify which sessions you want to reconnect by choosing the appropriate setting from the list. Disconnected sessions only When the Reconnect button is clicked, you are reconnected only to resources that were suspended when you disconnected your previous session. All active and disconnected sessions When the Reconnect button is clicked, you are reconnected to all your active resources, plus any resources that were suspended when you disconnected your previous session. Note: This setting applies to online resources only; that is, resources that are hosted on a remote server. Offline applications cannot be reconnected. Client for accessing virtual desktops and applications The Native Client is currently selected. Run Client Detection User Experience Virtual desktop or application window size Window size: Context-sensitive Help Window size No preference Use the default setting configured by your system administrator. Full screen Resource windows are maximized to fill your computer screen. Seamless Resources that support resizing appear in resizable windows. Custom dimensions Enables you to specify the size of resource windows in pixels. Enter the required dimensions in the format width x height in the Custom size (px) boxes below. Percentage of screen Enables you to specify the size of resource windows as a percentage of your computer screen. Enter the required value in the Percentage of screen box below. Custom size (px): Custom width (px): x Custom height (px): Percentage of screen: % This page. Does anything like this exist in F5 APM?