Citrix XenApp Secure Access Deployment
Problem this snippet solves: With the combination of BIG-IP Access Policy Manager (APM) and Citrix ""XenApp"", organizations can deliver a complete remote access solution that allows for scalability, security, compliance and flexibility. The following iRule provides the functionality for a secure proxy connection from various Citrix clients (PN Agent, Dazzle, Receiver and Web Browser) without the need for additional clients installed on the devices. How to use this snippet: Deployment Guide: https://f5.com/solutions/deployment-guides/citrix-xenapp-or-xendesktop-release-candidate-big Code : rule APM_Citrix { when RULE_INIT { set tmm_apm_pnagent_url "/Citrix/PNAgent/config.xml" } when CLIENT_ACCEPTED { TCP::collect 7 } when CLIENT_DATA { # Disable SSL if it's HTTP CONNECT request if { [TCP::payload 7] equals "CONNECT" } { SSL::disable } TCP::release } when HTTP_REQUEST { set tmm_apm_host [HTTP::host] set tmm_apm_uri_path [HTTP::path] set tmm_apm_user_agent [HTTP::header "User-Agent"] set tmm_apm_http_method [HTTP::method] set tmm_apm_session_id "" set tmm_apm_citrix_receiver 0 set tmm_apm_citrix_pnagent 0 set tmm_apm_citrix_ica_patching 0 set tmm_apm_vip "$tmm_apm_host:[TCP::local_port clientside]" log -noname accesscontrol.local1.debug "01490000:3: Request [HTTP::request]" if { [HTTP::cookie exists "MRHSession"] } { set tmm_apm_session_id [HTTP::cookie "MRHSession"] } if { $tmm_apm_user_agent contains "CitrixReceiver" } { set tmm_apm_citrix_receiver 1 } elseif { $tmm_apm_user_agent contains "PNAMAIN" or $tmm_apm_user_agent contains "Dazzle" } { set tmm_apm_citrix_pnagent 1 } if { $tmm_apm_http_method equals "CONNECT" } { # Handle the secure proxy connect requests. Return a Proxy-Authenticate header # field with a challenge if the user is not authenticated. if { ![HTTP::header exists "Proxy-Authorization"] } { HTTP::respond 407 Proxy-Authenticate "Basic realm=\"123\"" return } set authstr [lindex [ split [HTTP::header "Proxy-Authorization"] " " ] 1 ] # Seems like the Citrix base64 encoding logic has a bug that terminates # the input string with a null byte when the extra padding characters are # added. We remove the extra null character before we decode it. set remainder [lindex [split [expr [string length $authstr] / 4.0 ] "." ] 1] if { $remainder != "0" } { if { [regsub -all {(A=)} $authstr = newstring] > 0 } { set authstr $newstring } } #Decoded string format: 52553eb5b18572cdbe7dda4a8220bf35:172.30.6.197-1494 set apm_session [ lindex [ split [b64decode $authstr] ":" ] 0 ] if { ![ACCESS::session exists $apm_session] } { HTTP::respond 407 Proxy-Authenticate "Basic realm=\"123\"" return } # User is authenticated, send the traffic to the connect proxy virtual. log -noname accesscontrol.local1.notice "01490000:3: Request for citrix resource received from session: $apm_session" ACCESS::disable use virtual citrix_connect_proxy } if { ($tmm_apm_session_id == "") && ($tmm_apm_citrix_pnagent == 1) } { if { $tmm_apm_uri_path equals $::tmm_apm_pnagent_url } { ACCESS::disable return } # If the client is PNAgent or Dazzle, extract the credentials from the # payload and insert them in HTTP headers. HTTP::header insert "clientless-mode" 1 HTTP::header insert "username" "" HTTP::header insert "password" "" if { ![info exists tmm_apm_citrix_username] && [HTTP::header exists Content-Length] } { HTTP::collect [HTTP::header Content-Length] } } if { $tmm_apm_citrix_receiver == 1 } { # Collect the user credentials and set ready for access policy validation if { $tmm_apm_uri_path equals "/cgi/login" } { HTTP::header insert "clientless-mode" 1 HTTP::header insert "username" "" HTTP::header insert "password" "" HTTP::cookie remove MRHSession HTTP::collect [HTTP::header Content-Length] } elseif { $tmm_apm_uri_path equals "/ipad" } { set AD_only "citrixreceiver://createprofile/?s=$tmm_apm_host&pname=Profile-$tmm_apm_host&gw=1&gwt=2&gwa=1" set RSA_only "citrixreceiver://createprofile/?s=$tmm_apm_host&pname=Profile-$tmm_apm_host&gw=1&gwt=2&gwa=2" set AD_RSA "citrixreceiver://createprofile/?s=$tmm_apm_host&pname=Profile-$tmm_apm_host&gw=1&gwt=2&gwa=3" HTTP::respond 200 content "<html><h2><a href=\"$AD_only\">Click here for domain only auth</a><a href=\"$RSA_only\">Click here for RSA only</a><a href=\"$AD_RSA\">Click here for Two-factor auth</a></h2></html>" } } } when HTTP_REQUEST_DATA { if { ($tmm_apm_citrix_pnagent != 1) && ($tmm_apm_citrix_receiver != 1) } { return } set payload [HTTP::payload] if { $tmm_apm_citrix_receiver == 1 } { # Parse the user credentials from the payload log -noname accesscontrol.local1.debug "01490000:3: Parsing credentials for Citrix receiver" set tmm_apm_citrix_username "" set tmm_apm_citrix_password "" set tmm_apm_citrix_password1 "" set urlvars [ split $payload "&" ] foreach {u} $urlvars { set param [ lindex [ split $u "=" ] 0 ] set value [ lindex [ split $u "=" ] 1 ] if { $param equals "login" } { set tmm_apm_citrix_username $value } elseif { $param equals "passwd" } { set tmm_apm_citrix_password $value } elseif { $param equals "passwd1" } { set tmm_apm_citrix_password1 $value } } # Insert the parsed credentials into the HTTP request as headers HTTP::header replace "username" $tmm_apm_citrix_username HTTP::header replace "password" $tmm_apm_citrix_password HTTP::release } elseif { $tmm_apm_citrix_pnagent == 1 } { # Parse the user credentials from the payload log -noname accesscontrol.local1.debug "01490000:3: Parsing credentials for Citrix PNAgent" set tmm_apm_citrix_username "" set tmm_apm_citrix_password "" if { [regexp -nocase {<username>([^<]+)</username>} $payload dummy tmm_apm_citrix_username] == 0 } { log -noname accesscontrol.local1.error "01490000:3: $tmm_apm_session_id: Username not found in the PNAgent POST body" return } if { [regexp -nocase {<password[^>]+>([^<]+)</password>} $payload dummy tmm_apm_citrix_password] == 0 } { log -noname accesscontrol.local1.error "01490000:3: $tmm_apm_session_id: Password not found in the PNAgent POST body" return } # Decode the password binary scan $tmm_apm_citrix_password c* pass set len [llength $pass] set result {} for { set i 0 } { $i < $len } { incr i } { set hi [lindex $pass $i] set hi [ expr { $hi - 0x41 } ] set hi [ expr { $hi << 4 } ] incr i set lo [lindex $pass $i] set lo [ expr { $lo - 0x41 } ] set char [ binary format c [expr {$hi + $lo}] ] append result $char } binary scan $result H* pass binary scan $result c* pass set len [llength $pass] set result {} set first [lindex $pass 0] set char [ binary format c [expr { $first ^ 0xA5 } ] ] append result $char for { set i 1 } { $i < $len } { incr i } { set prev [ lindex $pass [expr {$i-1}] ] set curr [ lindex $pass $i ] set char [ binary format c [ expr {$curr ^ $prev ^ 0xA5} ] ] append result $char } binary scan $result H* pass set tmm_apm_citrix_password [ regsub -all {\000} $result {} ] # Insert the parsed credentials into the HTTP request as headers HTTP::header replace "username" $tmm_apm_citrix_username HTTP::header replace "password" $tmm_apm_citrix_password HTTP::release } } when HTTP_RESPONSE { if { [HTTP::header Content-Type] contains "application/x-ica" } { set tmm_apm_citrix_ica_patching 1 HTTP::collect [HTTP::header Content-Length] } } when HTTP_RESPONSE_DATA { # ICA patching: if { $tmm_apm_citrix_ica_patching == 1 } { # ICA file patching: Add entries to point citrix clients to the # Citrix ICA patching virtual as their HTTP proxy. It also sets # the ProxyUsername to the APM session id to let the Citrix clients # to connect to the proxy without requesting the user to authenticate # again. log -noname accesscontrol.local1.debug "01490000:3: ICA file patching" set payload [HTTP::payload] set payload [ regsub -all {Proxy[^\n]+\n} $payload {} ] set payload [ regsub {DoNotUseDefaultCSL[^\n]+\n} $payload {} ] if { $tmm_apm_citrix_receiver == 1 } { set payload [ regsub {CGPAddress[^\n]+\n} $payload {} ] } regexp -line {Address=(.+)} $payload dummy CtxAddrPort set CtxAddr [lindex [split $CtxAddrPort ":"] 0] set CtxPort [lindex [split $CtxAddrPort ":"] 1] regexp -line {CGPAddress=(.+)} $payload dummy CGPAddrPort if { [info exists CGPAddrPort] } { set CtxPort [lindex [split $CGPAddrPort ":"] 1] } set payload [ regsub {\[WFClient\]} $payload "&\r\nProxyType=Secure\r\nProxyHost=$tmm_apm_vip\r\nProxyUsername=$tmm_apm_session_id\r\nProxyPassword=$CtxAddr-$CtxPort" ] set payload [ regsub {SSLEnable[^\n]+\n} $payload "SSLEnable=On\r\n" ] set payload [ regsub {Address[^\n]+\n} $payload "Address=$tmm_apm_host\r\n" ] HTTP::respond 200 content $payload Content-Type [HTTP::header Content-Type] } } when ACCESS_SESSION_STARTED { if { ($tmm_apm_citrix_receiver == 0) or ![info exists tmm_apm_citrix_password1] } { return } # Pass the domain password as a session variable. Logon page agent doesn't # take it from HTTP headers in clientless mode. ACCESS::session data set "session.logon.last.password1" [URI::decode $tmm_apm_citrix_password1] } when ACCESS_POLICY_COMPLETED { if { $tmm_apm_citrix_receiver == 0 } { return } set sid [ACCESS::session data get session.keydb] set result [ACCESS::policy result] # Remove the user credential variables if { [info exists tmm_apm_citrix_username] } { unset tmm_apm_citrix_username } if { [info exists tmm_apm_citrix_password] } { unset tmm_apm_citrix_password } if { [info exists tmm_apm_citrix_password1] } { unset tmm_apm_citrix_password1 } # Clear the domain password session variable created at the session validation start. ACCESS::session data set "session.logon.last.password1" "" if { $result equals "allow" } { set resp "<html><head><META HTTP-EQUIV=\"REFRESH\" CONTENT=\"0; URL=$::tmm_apm_pnagent_url\"></head><body></body></html>" ACCESS::respond 200 content $resp Set-Cookie "MRHSession=$sid;path=/;secure" Set-Cookie "NSC_AAAC=123;path=/;secure" } } }
Two-factor authentication for Citrix Receiver for Windows
I have deployed F5 APM with two-factor authentication. APM is currently replacing the Web Interface / Storefront servers. Two-factor authentication is confirmed working for the Webtop, Citrix Receiver for Mac, Citrix Receiver for iOS and Citrix Receiver for Android. My issue is that Citrix Receiver for Windows doesn't appear to have the necessary options to select the Logon type of "Security token only" or "Domain and security token" like the Receiver for other OS's do. I suspect that Citrix Receiver for Windows requires some kind of configuration push from the server (which in my case is APM). Has anyone else experienced this issue or have any ideas?Citrix XenApp and XenDesktop
More and more organizations are using the BIG-IP system to secure, optimize, and scale their Citrix XenApp/XenDesktop deployments. Since the days when these applications were known as MetaFrame, F5 has been testing and tuning the BIG-IP system for Citrix implementations, and detailing the procedures first in our deployment guides, and now in our iApp templates for Citrix as well. Not only can the BIG-IP system act as a replacement for the Citrix Web Interface servers, but it can securely proxy Citrix ICA traffic using TCP optimization profiles which increase overall network performance for your application. You also have the option to configure the BIG-IP APM with smart card authentication or with two factor authentication using RSA SecurID. The following simple, logical configuration example shows one of the ways you can configure the BIG-IP system for Citrix Xen deployments. In this example, the BIG-IP APM Dynamic Presentation Webtop functionality is used to eliminate the need for the Citrix Web Interface StoreFront server tier. With BIG-IP APM, a front-end virtual server is created to provide security, compliance and control. The iApp template configures the APM using Secure ICA Proxy mode. In secure ICA proxy mode, no F5 BIG-IP APM client is required for network access. The BIG-IP system uses SSL on the public (non-secure) network and ICA to the servers on local (secure) network. See the deployment guide for more information. Seehttps://devcentral.f5.com/s/articles/citrix-vdi-iapp-templatefor information on using the iApp template to configure the BIG-IP system for Citrix. See https://f5.com/solutions/deployment-guidesto find the appropriate deployment guide for quickly and accurately configuring the BIG-IP system for Citrix XenApp/XenDesktop. If you have any feedback on these or other F5 guides or iApp templates, leave it in the comment section below or email us at solutionsfeedback@f5.com. We use your feedback to help shape our new iApps and deployment guides.Citrix VDI iApp template
Problem this snippet solves: You can use this F5 supported iApp template to configure availability and Secure ICA proxy remote access for Citrix XenApp or XenDesktop environments. This iApp template configures BIG-IP LTM, APM, and AFM for XenApp or XenDesktop services. When used with BIG-IP APM, this iApp template supports proxy authentication and secure remote access for all XenApp and XenDesktop HTTP-based protocols without requiring a VPN client. The iApp template includes the ability to configure BIG-IP APM for two factor authentication with RSA SecurID, and supports smart card authentication. The link below takes you to the official AskF5 SOL for Citrix VDI with instructions on downloading and using the iApp template. For the Deployment Guide, see http://www.f5.com/pdf/deployment-guides/citrix-vdi-iapp-dg.pdf Code : https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13738.html
APM webtop to Citrix - what timeouts control session traffic stopping?
Environment - Big-IP 4200v running 11.5.2 plain, no hotfix. Context: APM webtop providing an SSL tunnel to XenApp servers via a Citrix remote desktop. Remote desktop is configured with XenApp XML Broker IP (actually, LTM pool of such brokers). Webtop replaces Storefront, provides launch icons. Doing tsharks to observe traffic, I notice that when we launch a XenApp hosted application, then close that application, the traffic between the F5 to the XenApp host server continues (and not just a little, consistent packet flow) for 350 - 400 seconds before ceasing. Not sure why - keeping it open in case of a subsequent launch? Not sure. I presume that's controlled by timeouts ... but I can't tell what timeouts, nor where (on the F5 or on the XenApp side). I would like to reduce how long the connection stays open and has traffic flow as much as reasonable. So where is this post-app-close traffic controlled? And what are the tradeoffs for reducing how long the connection is left open? thx!Citrix Desktop via APM - APM fails accessing XenApp on :2598, doesn't try :1494 ...?
Config: firmware 11.5.2, Big-IP 4200v, accessing XenApp server on Win2012, running Xenapp version... 7.1, i think We have an APM webtop configged to replace the Citrix Storefront, by virtue of a remote desktop resource. That's all working correctly, the broker is being accessed cleanly, and the apps permitted the user are being displayed. But we discovered we have one Citrix server that isn't listening on port 2598 (the CGPAddress from the ICA file). When we run a desktop allocated to that server via the Citrix Storefront, a capture shows that the Receiver app first tries server:2598, but gets a RST back - and moves on to use :1494, and everything works fine. When we access the same desktop over APM, a tcpdump shows that the F5 attempts server:2598 ... then stops, after receiving an RST back. Other Xenapp desktops and apps launched via APM run fine - because the XenApp server they're running on are all correctly listening on :2598 (I've verified numerous of them via tcpdump, and the APM is always using :2598). Of course we can get the one server fixed, so it IS listening on its CGPAddress:port ... but why isn't APM going on to try :1494 if unsuccessful on :2598? Is there any configuration option to make it do so? Thx!In 5 Minutes or Less Video - BIG-IP APM & Citrix XenApp
Watch how F5 customers can now simply use BIG-IP Access Policy Manager or BIG-IP Edge Gateway to consolidate access control in a central location, keeping infrastructure administration concerns to a minimum. With BIG-IP solutions, customers enjoy the flexibility and scalability needed to extend Citrix applications to both local and remote users without changing local XenApp deployments or requiring STA to provide secure remote access to applications. Highlights of deploying Citrix and F5 technologies together include: Reduced Management Time and OpEx – By simplifying and centralizing local and remote access authentication, BIG-IP solutions eliminate the need for customers to add separate Citrix STA infrastructure or make changes to existing Web Interface servers, resulting in an environment that is less expensive to deploy and requires less time to manage. Simplified Configuration and Deployment – With BIG-IP solutions, administrators can support users of Citrix applications with fewer devices, configure deployments to support flexible access models, and easily scale the environment. This fully integrated functionality makes it quick and easy for customers to set up and deploy local and remote access capabilities for Citrix applications, keeping users productive. Centralized and Comprehensive Access Control – Unlike the separate Citrix products required to adequately support applications for remote users, BIG-IP solutions provide centralized application access control and use a single access policy to support all types of users securely, so IT teams can be confident that application access is aligned with the organizations’ specific business priorities and security policies. &amp;amp;amplt;/p&amp;amp;ampgt; &amp;amp;amplt;p&amp;amp;ampgt;ps&amp;amp;amplt;/p&amp;amp;ampgt; &amp;amp;amplt;p&amp;amp;ampgt;Resources:&amp;amp;amplt;/p&amp;amp;ampgt; &amp;amp;amplt;ul&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;http://www.f5.com/news-press-events/press/2010/20101214.html&quot; _fcksavedurl=&quot;http://www.f5.com/news-press-events/press/2010/20101214.html&quot;&amp;amp;ampgt;F5 Simplifies and Centralizes Access Management for Citrix Applications&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;downloads.f5.com&quot; _fcksavedurl=&quot;downloads.f5.com&quot;&amp;amp;ampgt;BIG-IP v10.2.1 Download (Log in required)&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;http://www.f5.com/products/big-ip/access-policy-manager.html&quot; _fcksavedurl=&quot;http://www.f5.com/products/big-ip/access-policy-manager.html&quot;&amp;amp;ampgt;BIG-IP Access Policy Manager&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;http://www.f5.com/products/big-ip/edge-gateway.html&quot; _fcksavedurl=&quot;http://www.f5.com/products/big-ip/edge-gateway.html&quot;&amp;amp;ampgt;BIG-IP Edge Gateway&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;li&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;https://www.youtube.com/user/f5networksinc&quot; _fcksavedurl=&quot;https://www.youtube.com/user/f5networksinc&quot;&amp;amp;ampgt;F5 YouTube Channel&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/li&amp;amp;ampgt; &amp;amp;amplt;/ul&amp;amp;ampgt; &amp;amp;amplt;table border=&quot;0&quot; cellspacing=&quot;0&quot; cellpadding=&quot;2&quot; width=&quot;325&quot;&amp;amp;ampgt;&amp;amp;amplt;tbody&amp;amp;ampgt; &amp;amp;amplt;tr&amp;amp;ampgt; &amp;amp;amplt;td valign=&quot;top&quot; width=&quot;200&quot;&amp;amp;ampgt;Connect with Peter: &amp;amp;amplt;/td&amp;amp;ampgt; &amp;amp;amplt;td valign=&quot;top&quot; width=&quot;123&quot;&amp;amp;ampgt;Connect with F5: &amp;amp;amplt;/td&amp;amp;ampgt; &amp;amp;amplt;/tr&amp;amp;ampgt; &amp;amp;amplt;tr&amp;amp;ampgt; &amp;amp;amplt;td valign=&quot;top&quot; width=&quot;200&quot;&amp;amp;ampgt;&amp;amp;amplt;a href=&quot;http://www.linkedin.com/pub/peter-silva/0/412/77a&quot; _fcksavedurl=&quot;http://www.linkedin.com/pub/peter-silva/0/412/77a&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_linkedin[1]&quot; border=&quot;0&quot; alt=&quot;o_linkedin[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_linkedin.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_linkedin.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;https://devcentral.f5.com/s/weblogs/psilva/Rss.aspx&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/psilva/Rss.aspx&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_rss[1]&quot; border=&quot;0&quot; alt=&quot;o_rss[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_rss.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_rss.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://www.facebook.com/f5networksinc&quot; _fcksavedurl=&quot;http://www.facebook.com/f5networksinc&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_facebook[1]&quot; border=&quot;0&quot; alt=&quot;o_facebook[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://twitter.com/psilvas&quot; _fcksavedurl=&quot;http://twitter.com/psilvas&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_twitter[1]&quot; border=&quot;0&quot; alt=&quot;o_twitter[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;/td&amp;amp;ampgt; &amp;amp;amplt;td valign=&quot;top&quot; width=&quot;123&quot;&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://www.facebook.com/f5networksinc&quot; _fcksavedurl=&quot;http://www.facebook.com/f5networksinc&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_facebook[1]&quot; border=&quot;0&quot; alt=&quot;o_facebook[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://twitter.com/f5networks&quot; _fcksavedurl=&quot;http://twitter.com/f5networks&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_twitter[1]&quot; border=&quot;0&quot; alt=&quot;o_twitter[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;http://www.slideshare.net/f5dotcom/&quot; _fcksavedurl=&quot;http://www.slideshare.net/f5dotcom/&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_slideshare[1]&quot; border=&quot;0&quot; alt=&quot;o_slideshare[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_slideshare.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_slideshare.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt; &amp;amp;amplt;a href=&quot;https://www.youtube.com/f5networksinc&quot; _fcksavedurl=&quot;https://www.youtube.com/f5networksinc&quot;&amp;amp;ampgt;&amp;amp;amplt;img style=&quot;border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px&quot; title=&quot;o_youtube[1]&quot; border=&quot;0&quot; alt=&quot;o_youtube[1]&quot; src=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_youtube.png&quot; _fcksavedurl=&quot;https://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_youtube.png&quot; width=&quot;24&quot; height=&quot;24&quot; /&amp;amp;ampgt;&amp;amp;amplt;/a&amp;amp;ampgt;&amp;amp;amplt;/td&amp;amp;ampgt; &amp;amp;amplt;/tr&amp;amp;ampgt; &amp;amp;amplt;/tbody&amp;amp;ampgt;&amp;amp;amplt;/table&amp;amp;ampgt; &amp;amp;amplt;p&amp;amp;ampgt;Technorati Tags: &amp;amp;amplt;a href=&quot;http://technorati.com/tags/F5&quot; _fcksavedurl=&quot;http://technorati.com/tags/F5&quot;&amp;amp;ampgt;F5&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/in+5+minutes&quot; _fcksavedurl=&quot;http://technorati.com/tags/in+5+minutes&quot;&amp;amp;ampgt;In 5 Minutes&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/integration&quot; _fcksavedurl=&quot;http://technorati.com/tags/integration&quot;&amp;amp;ampgt;integration&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/bigip&quot; _fcksavedurl=&quot;http://technorati.com/tags/bigip&quot;&amp;amp;ampgt;big-ip&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/Pete+Silva&quot; _fcksavedurl=&quot;http://technorati.com/tags/Pete+Silva&quot;&amp;amp;ampgt;Pete Silva&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/security&quot; _fcksavedurl=&quot;http://technorati.com/tags/security&quot;&amp;amp;ampgt;security&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tag/business&quot; _fcksavedurl=&quot;http://technorati.com/tag/business&quot;&amp;amp;ampgt;business&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tag/education&quot; _fcksavedurl=&quot;http://technorati.com/tag/education&quot;&amp;amp;ampgt;education&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tag/technology&quot; _fcksavedurl=&quot;http://technorati.com/tag/technology&quot;&amp;amp;ampgt;technology&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/application+delivery&quot; _fcksavedurl=&quot;http://technorati.com/tags/application+delivery&quot;&amp;amp;ampgt;application delivery&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/citrix&quot; _fcksavedurl=&quot;http://technorati.com/tags/citrix&quot;&amp;amp;ampgt;citrix&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/cloud&quot; _fcksavedurl=&quot;http://technorati.com/tags/cloud&quot;&amp;amp;ampgt;cloud&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/context-aware&quot; _fcksavedurl=&quot;http://technorati.com/tags/context-aware&quot;&amp;amp;ampgt;context-aware&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/xenapp&quot; _fcksavedurl=&quot;http://technorati.com/tags/xenapp&quot;&amp;amp;ampgt;xenapp&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/automation&quot; _fcksavedurl=&quot;http://technorati.com/tags/automation&quot;&amp;amp;ampgt;automation&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/web&quot; _fcksavedurl=&quot;http://technorati.com/tags/web&quot;&amp;amp;ampgt;web&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/video&quot; _fcksavedurl=&quot;http://technorati.com/tags/video&quot;&amp;amp;ampgt;video&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/blog&quot; _fcksavedurl=&quot;http://technorati.com/tags/blog&quot;&amp;amp;ampgt;blog&amp;amp;amplt;/a&amp;amp;ampgt;, &amp;amp;amplt;a href=&quot;http://technorati.com/tags/F5+APM&quot; _fcksavedurl=&quot;http://technorati.com/tags/F5+APM&quot;&amp;amp;ampgt;APM&amp;amp;amplt;/a&amp;amp;ampgt;&amp;amp;amplt;/p&amp;amp;ampgt;&amp;amp;amplt;/body&amp;amp;ampgt;&amp;amp;amplt;/html&amp;amp;ampgt; ps Resources: F5 Simplifies and Centralizes Access Management for Citrix Applications BIG-IP v10.2.1 Download (Log in required) BIG-IP Access Policy Manager BIG-IP Edge Gateway F5 YouTube ChannelCitrix Xenapp 6.5 Server with CSG - HTTP 400 Bad Request error
I have 1 Xenapp 6.5 server: On this server I have Web Interface, Secure Gateway and its my STA server as well. I have IIS set to SSL port 444 and my CSG is set to 443. I can telnet to my host https://cloud.rainiertitle.com on port 1494 and 2598 - I have disabled session reliability for this troubleshooting. My STA is generating no errors. IIS is giving no errors. This is driving me crazy. I can access everything internally, but I get the HTTP 400 Bad Request when I try to access my site externally. My DNS is working correctly. Everything resolves fine. I ran Fiddler to try to trace my https traffic and I received this error: HTTP/1.1 400 Bad request Date: Fri, 08 Aug 2014 15:35:44 GMT Server: Citrix Web PN Server Content-Length: 0 Connection: close Content-Type: text/plain Any ideas?
