citrix
225 Topicstwo F5 iApp Citrix gateways behind same SSL LB
We need to migration from NetScaler to BigIP. On NetScaler we have two StoreFront FQDNs and they resolve to same VIP on one same Citrix Gateway. In other words, one same Citrix gateway provide service to two different Storefront URLs. We do this because of strict firewall rules between users and our NetScaler, they are managed by different IT teams. End-user doesn't have to whitelist another IP in their firewalls so we can re-use same IP to provide another storefront for end-user. This IP has been allowed for years. The citrix gateway has session policies checking host in http header so forward the traffic to different backend storefront with -wihome parameter. If user access FQDN_A then session policy matches and session action will forward the traffic to -wihome Storefront_URL_A. If user access FQDN_B then session policy matches and session action will forward the traffic to -wihome Storefront_URL_B. This setup works fine on NetScaler for more than two years. On F5 BigIP we created two gateways with iApp template. Each iApp gateway can support one Storefront FQDN so we create two gateways with iApp. Two FQDN resolve to same IP on NetScaler so we create a generic SSL LB in front of two iApp gateways and attached SNI based traffic policy. Now the issue is the user can login and authenticate with different FQDN, see storefronts UI, see allowed apps icon, get .ICA file but Citrix Workspace cannot establish VDI session with the ICA file. Citrix workspace stuck at "Opening the resource Connection in progress..." and failed at "Unable to start unable to launch your applications due to an internal error. Contact your system administrator." ICA works so I think the traffic from end-users to each iApp gateways through the front LB work and traffic policy works based on SNI check. Not sure why ICA work but VDI fails through LB. However, if I move the IP to one of iApp gateways, both ICA and VDI can work without problem. Thank you for your assistance.15Views0likes0CommentsCitrix XenServer Big-IP Upgrade help
I am looking to upgrade our stand alone BIG-IP on xenserver. Currently running 15.1.2.1. It looks like I can just upgrade to 17 based on K13845. I am stuck on exactly what file to download. I also read K51113020 on how to do the upgrade, but I am a little hesitant because it doesn't reference XenServer specifically. Looking at the files on the download page, I am not sure if I just pull an OVA file? The VM guy seems to think that is really for a new install not an upgrade. I will take any tips, tricks or strategies to make this a simple upgrade. Thanks in advance. John45Views0likes4CommentsF5 APM - SAML Auth with Citrix Workspace App
Hello, I have configured SAML auth with AzureAD with APM and storefront web interface with no issues. Im wondering if anyone has tried getting the local receiver/workspace app to work? It looks like the local client now supports SAML auth coming from a netscaler, however not sure if APM can trigger the app to redirect it to Azure to login.1.5KViews0likes9Commentssource IP and source Port persistence using irule - Citrix - (carp vs uie)
Hi, We ran into an issue of uneven load-balancing due to using citrix. Clients end up using the same IP so we decided we need to start load-balancing using the source port as well. I have done my homework and search around until I came across multiple solutions of either to use uie or carp. I have multiple questions hopefully I will get answers for. I understand carp doesn't have a timeout so that leads to a question is it better to use in this situation? Also we are leaning towards load-balancing using the least connections. Would each algorithm limits to a specific load-balancing method? Per my irule below I don't add persist assuming it is done automatically. am I wrong with that assumption? Should I be adding each successful persistence records? what would be the best way to test such an implementation? Here is the irule I'm about to implement. when CLIENT_ACCEPTED { set client_ip_port "[IP::client_addr]:[TCP::client_port]" if {[TCP::client_port] and [IP::client_addr] !=0} { persist carp $client_ip_port } }480Views0likes1CommentAPM IdP SAML config for sharefile
Hi all, we try configuring a SAML config with an F5 SAML guide. Our system should have F5 as a SAML IdP and sharefile.com as SP. Does anyone has expirience with this architecture? What we already have: F5 APM config: EntidyID: https://auth.customer.com binded SP Entidy: https://serviceat.sharefile.com/saml/info Assertion Consumer Service URL: https://serviceat.sharefile.com/saml/acs Sharefile config: Sharefile Issuer: https://serviceat.sharefile.com/saml/info IdP Issuer: https://auth.customer.com Login URL: https://auth.customer.com/saml/idp/profile/redirectorpost/sso Logout URL: https://auth.customer.com/saml/idp/profile/post/sls When the user tries to login on sharefile, he will be redirected to the F5 APM Login Page; after successful Login, the URL https://auth.customer.com/saml/idp/profile/redirectorpost/sso?SAMLRequest=blablabal.... is requested via GET, but there we didn't get any response. - so no redirect to the Consumer Service of Sharefile can be seen. With the SAML tracer I can see the request to the F5: https://serviceat.sharefile.com/saml/info urn:oasis:names:tc:SAML:2.0:ac:classes:Password Does anyone have an already running SAML configuration like this or has any hints, what we are doing wrong here? It seems to me, that the APM doesn't listen to the requested URL. Thanks in advance, Philipp504Views0likes6Commentscitrix with NAT, possible?
I'm trying to have the following environment working: APM app publishing for XenApp 6.5 2 XML broker and 2 ICA servers the citrix environment is in a vCould with NAT. BIGIP sees the NATed addresses of all servers. The broker part is working well as I get the apps publish on the webtop. The issue is when the receiver starts and the APM gets the XML file for app connection, we see inside that file following entries that are problematic :1494 [...] :443 [..] The result is that packet trace for the Receiver to APM shows only a couple of TLS handshakes without app data, then the APM terminates them. The receiver puts an error "network issue" (not SSL, as we have fixed all certificate/SSL issues previously). I guess it's because it cannot interpret/rewrite that XML file. We must use NAT because of vCloud/topology and I'm stuck here. Any idea? Thanks! Alexandre337Views0likes4CommentsXenApp 6.5 with Kerberos Auth and CIFS-Windows Shares
I have been having difficulties with this issue for some time and I am hoping that someone can shed some light on it. All information in this post will be from my test bed environment, however the same issue is occurring in our live development environment. We are running 11.5.1 HF5 and so far I have been able to get Kerberos authentication working in order to access my published Citrix Applications with APM proxying all ICA traffic and replacing the Citrix Web Interface. The issue comes in when once a published app is launch, for example Notepad, I am then unable to access any mapped drives or other CIFS-Windows shares using Kerberos and instead I am asked for my Username and Password. I have been mostly following this thread to get to where I currently am as I have a similar scenario: F5 BigIP LTM 6900 In my testbed I have one Domain Controller, one server called XML1 which is my XenApp server and one server called WB1 which is where I had the Citrix Web Interface when I was trying pass-through authentication along with where I created the shared folder I am trying access through my Citrix apps. All servers are Windows 2008 R2, domain level is set to 2003. Our clients are not joined to the domain but I have a valid method of locating the right user using a APM AD query. In my testbed I have one Domain Controller, one server called XML1 which is my XenApp server and one server called WB1 which is where I had the Citrix Web Interface when I was trying pass-through authentication along with where I created the shared folder I am trying access through my Citrix apps. All servers are Windows 2008 R2, domain level is set to 2003. Our clients are not joined to the domain but I have a valid method of locating the right user using a APM AD query. My mapped drives are in both \\servername\share and \\fqdn\share forms. Would appreciate any help I can get, Sheigh404Views0likes5CommentsOptimizing application delivery with F5 Secure ICA proxy
F5's Secure ICA proxy solution on APM/EDGE is over a year old now, and has been successfully deployed at many of our customers. Besides the simplicity and ease of administration it provides, F5 customers are looking for more value and want to make sure that the solution they implement can provide the fastest deliver of Citrix XenApp and XenDesktop to the remote users. In one scenario, we've found that leveraging the following TCP profile on the APM ICA proxy virtual can drastically improve performance of applications where large data transfers are happening between the client and the XenApp/XenDesktop farm. This profile was tested in a typical WAN scenario with client connecting over T1 on a 200 ms link with 0.5-1% packet loss. In this scenario, F5 ICA proxy was able to maintain almost full bandwidth throughput(close to 1.5 Mbits/sec on the ICA connection, which was more than 2x improvement over throughput with regular TCP stack. This is the snippet of the TCP profile configuration from bigip.conf profile tcp optimized_xenapp_wan { defaults from tcp-lan-optimized reset on timeout enable time wait recycle enable delayed acks disable proxy mss disable proxy options disable deferred accept disable selective acks disable dsack disable ecn disable limited transmit disable rfc1323 disable slow start disable bandwidth delay disable nagle disable abc enable ack on push enable verified accept disable pkt loss ignore rate 0 pkt loss ignore burst 0 md5 sign disable cmetrics cache enable md5 sign passphrase none proxy buffer low 98304 proxy buffer high 131072 idle timeout 300 time wait 2000 fin wait 5 close wait 5 send buffer 65535 recv window 65535 keep alive interval 1800 max retrans syn 4 max retrans 8 ip tos 0 link qos 0 congestion control scalable zero window timeout 20000 } If you are running or deploying F5 Secure ICA proxy solution, we encourage you to try this tcp profile and see if it improves ICA performance in your environment as well. Any and all feedback will also be greatly appreciated.257Views0likes2Commentsrewrite iRule
How to write the below iRule if I want to use the two events together ? event&Condition: when CLIENT_ACCEPTED { Client IP:[IP::client_addr] equals 10.0.0.0/8 } when HTTP_REQUEST { if { [string tolower [HTTP::header User-Agent]] contains "/Firefox" or "/Chrome" or "/Opera" or "/safari" } Action The action is to rewrite the URI. -reqUrlFrom "https://www.f5.com/citrix/wwl_prodweb/" -reqUrlInto "https://www.f5.com/citrix/wwl_prodwebExplicit/" Any help would be highly appreciated !222Views0likes1Commentf5-lbaasv-1.0.10 agent configuration to test single tenant f5 lbaas with openstack
I am trying F5 LBaaSv1 VERSION 1.0.10 driver and agent to provision the pool,vip and pool member into bigip ltm 11.6 VE launched as openstack vm. Here are below steps i have followed. 1. launched bigip ltm vm with 3 interfaces. 2. interface eth0 is management interface . 3. I performed below steps from UI of bigip vm and datapath work for lbaas. 3.1.SNAT Creation SNAT is created with following configuration. Translation Automap Origin All Ipv4 addresses VLAN / Tunnel Traffic ALL 3.2. Created 2 vlan Untagged tunnel. Internal : Interface 1.1(eth1) with ip 51.0.0.4 is for internal network(network b/w pool member and bigip vm) External : Interface 1.2(eth2) is with ip 61.0.0.4 for vip (external network) 3.3 Created 2 selfip selfip 51.0.0.4 created for internal tunnel selfip 61.0.0.4 created for external tunnel 3.4. Created virtual server with destination ip 61.0.0.4. 3.5. Created pool and added 2 pool member (51.0.0.9, 51.0.0.10) 3.6. Launched vm on 61.0.0.0/24 network address and sent curl request to vip 61.0.0.4 and datapath work. Now i want to provision above steps with f5-oslbaas-agent,agent run with f5-oslbaasv1-agent.ini,That has many configurable options,which are the option i need to fill to test single tanant f5lbaas.Any thoughts on this??232Views0likes0Comments