Applies To:

Show Versions Show Versions

Manual Chapter: Integrating APM with Citrix XML Brokers
Manual Chapter
Table of Contents   |   << Previous Chapter

Overview: Integrating APM with Citrix XML Brokers with SmartAccess support

In this implementation, you integrate Access Policy Manager® with Citrix XML Brokers and present Citrix published applications on an APM™ dynamic webtop.

Traffic flow in APM configuration to integrate with Citrix XML Brokers APM integration with Citrix XML Brokers
  1. A user (client browser or Citrix Receiver) requests access to applications.
  2. The external virtual server starts an access policy that performs authentication and sets SmartAccess filters.
  3. The external virtual server sends the authenticated request and filters to a Citrix XML Broker. A separate, internal virtual server load balances multiple XML Brokers.
  4. An XML Broker returns a list of allowed applications to the external virtual server.
  5. The external virtual server renders and displays the user interface to the client on an Access Policy Manager webtop.

Supported authentication

For Citrix Receiver Windows and Linux clients: only Active Directory authentication is supported.

For Citrix Receiver clients for iOS, Android, and Mac: Active Directory, or both RSA and Active Directory authentication is supported.

For web clients, you are not restricted in the type of authentication you use.

About APM dynamic webtop for Citrix XML Brokers

A dynamic webtop enables Access Policy Manager® to act as a presentation layer for Citrix published resources. APM™ communicates directly with Citrix XML Brokers, retrieves a list of published resources, and displays them to the user on a dynamic webtop.

The address of an XML Broker is configured on APM through a Citrix remote desktop resource. Each of these resources logically represents a Citrix farm. You can assign multiple resources to a user, enabling the user to access Citrix applications from multiple Citrix farms.

About remote desktop resource support for Citrix Receiver clients

APM supports multiple Citrix remote desktop resources for web clients. However, support for Citrix Receiver (iOS, Android, Mac, Windows, and Linux) clients is limited to one Citrix remote desktop resource.

Important: APM uses the first Citrix remote desktop resource in alphabetical order. For example, if you have two resources with names /Common/Alpha and /Common/Beta, APM serves only /Common/Alpha to Citrix Receiver clients.

Task summary for XML Broker integration with APM

Ensure that you configure the Citrix components in the Citrix environment, in addition to configuring the BIG-IP® system to integrate with Citrix XML Brokers.

Perform these tasks on the BIG-IP system so that Access Policy Manager® can present Citrix published resources on a dynamic webtop.

Task list

Creating a pool of Citrix XML Brokers

You can create a pool of Citrix XML Brokers to provide high availability functions. Create one pool of XML Brokers for each Citrix farm that you want to support.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, using the New Members setting, add each resource that you want to include in the pool:
    1. Either type an IP address in the Address field, or select a node address from the Node List.
    2. If access to the XML Broker is through SSL, in the Service Port field type 443 or select HTTPS from the list; otherwise, type 80 or select HTTP from the list.
    3. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Creating an internal virtual server for Citrix XML Broker HA

This virtual server enables high availability for a pool of Citrix XML Brokers. Create one internal virtual server for each Citrix farm that you want to support.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Configuration area, from the HTTP Profile list, select http.
  6. In the Service Port field, type 80, or select HTTP from the list.
  7. If you use SSL to access the XML Brokers, select an SSL Profile for the SSL Profile (Server) field.
  8. In the Resources area, locate the Default Pool setting.
  9. From the Default Pool list, select the name of the pool that you created previously.
  10. Click Finished.

Configuring a Citrix remote desktop resource

This Citrix remote desktop resource uses a pool of XML Brokers that are load-balanced by an internal virtual server. Create one Citrix remote desktop resource for each Citrix farm that you want to support.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops. The Remote Desktops list opens.
  2. Click Create. The New Resource screen opens.
  3. Type a name for the remote desktop resource.
  4. For the Type setting, ensure that Citrix is selected. The default is Citrix.
  5. For the Destination setting, specify the IP address for the internal virtual server that you created.
  6. Accept or change the Port. The port must match the port configured on the internal virtual server.
  7. In the Customization Settings for language_name area, type a Caption. The caption is the display name of the Citrix resource on the APM webtop.
  8. Click Finished. All other parameters are optional.
This creates the Citrix remote desktop resource.

Configuring a Citrix client bundle

You configure a Citrix client bundle to enable delivery of a Citrix Receiver client to a user's computer when a client is not currently installed, or when a newer client is available. Access Policy Manager® detects whether the Citrix Receiver client is present, and detects the operating system that is running. APM™ redirects users to a download URL. Or, in the case of Windows systems, downloads the Citrix Receiver client that you have uploaded.
Note: Creating a Citrix client bundle is optional, but you still need a Citrix Receiver client on client systems. If you do not create a Citrix client bundle, you must download the Citrix Receiver client from the Citrix web site and install it on client systems.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops > Citrix Client Bundles. The Citrix Client Bundles list screen opens.
  2. Click Create. The New Citrix Client Bundle screen opens.
  3. In the Name field, type a name for the Citrix client bundle.
  4. In the Download URL field, accept the default location or type the location from which the user can download a Citrix Receiver client. If Access Policy Manager detects that the user's computer is running Windows Citrix Receiver at or above the minimum version that you specify, instead of redirecting the user to this URL, APM performs an action based on the Source setting.
  5. For Source, select one of these options.
    • To redirect the user to download a Windows version of a Citrix Receiver client, select Windows Download URL.
    • To enable Access Policy Manager to push a Windows version of a Citrix Receiver client to the user's computer, select Windows Package File.
  6. Provide additional information, depending on the Source option that you selected.
    • For Windows Download URL, type the URL to which the Windows user is redirected to download the Citrix Receiver client.
    • For Windows Package File, click Browse to upload a Windows Citrix Receiver installation package.
  7. For the Windows Minimum Version setting, type the minimum version of Windows Citrix Receiver.
  8. Click Finished.
This creates the Citrix client bundle.

Configuring a dynamic webtop

A dynamic webtop allows you to see a variety of resources protected by Access Policy Manager®, including Citrix Published Applications.
  1. On the Main tab, click Access Policy > Webtops.
  2. Click Create.
  3. Type a name for the webtop.
  4. From the Type list, select Full.
  5. Click Finished.
The webtop is now configured, and appears in the webtop list.

Creating an access policy for Citrix SSO

Before you can create an access policy for Citrix Web Interface single sign-on (SSO), you must meet these requirements:
  • Configure the appropriate AAA servers to use for authentication.
    Note: An Active Directory AAA server must include the IP address of the domain controller and the FQDN of the Windows domain name. If anonymous binding to Active Directory is not allowed in your environment, you must provide the admin name and password for the Active Directory AAA server.
  • Create an access profile using default settings.
Configure an access policy to authenticate a user and enable single sign-on (SSO) to Citrix published resources.
Note: APM supports different types of authentication depending on the client type. This access policy shows how to use both RSA SecurID and AD Auth authentication (supported for Citrix Receiver for iOS, Mac, and Android) or AD Auth only (supported for Citrix Receiver for Windows and Linux). Use the type of authentication for the client that you need to support.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure to launch the visual policy editor. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) sign anywhere in the access policy to add a new action item. An Add Item screen opens, listing Predefined Actions that are grouped by General Purpose, Authentication, and so on.
  4. In the General Purpose area, select Logon Page, and click Add Item. A properties screen displays.
  5. Configure the Logon Page properties:
    • To support Active Directory authentication only, click Save.
    • To support both Active Directory and RSA SecurID authentication, configure the Logon Page to accept an RSA token and an AD password and click Save.
    In this example, Login Page Input Field #2 accepts the RSA Token code into the session.logon.last.password variable (from which authentication agents read it). Logging Page Input Field #3 saves the AD password into the session.logon.last.password1 variable. Logon Page properties screen The properties screen closes.
  6. Optional: To add RSA SecurID authentication, click the plus (+) icon between Logon Page and Deny:
    1. From the Authentication tab, select RSA SecurID, and click Add Item.
    2. In the properties screen from the Server list, select the AAA server that you created previously and click Save. The properties screen closes.
    3. After the RSA SecurID action, add a Variable Assign action. Use the Variable Assign action to move the AD password into the session.logon.last.password variable.
    4. Click Add new entry. An empty entry appears in the Assignment table.
    5. Click the change link next to the empty entry. A dialog box appears, where you can enter a variable and an expression.
    6. From the left-side list, select Custom Variable (the default), and type session.logon.last.password.
    7. From the right-side list, select Custom Expression (the default), and type expr { "[mcget -secure session.logon.last.password1] }". Variable Assign add entry screenshot The AD password is now available for use in Active Directory authentication.
    8. Click Finished to save the variable and expression, and return to the Variable Assign action screen.
  7. Add the AD Auth action after one of these actions:
    • Variable Assign. This action is present only if you added RSA SecurID authentication.
    • Logon Page. Add here if you did not add RSA SecurID authentication.
    A properties screen for the AD Auth action opens.
  8. Configure the properties for the AD Auth action:
    1. From the AAA Server list, select the AAA server that you created previously.
    2. To support Citrix Receiver clients, you must set Max Logon Attempts to 1.
    3. Configure the rest of the properties as applicable to your configuration and click Save.
  9. Click the Add Item (+) icon between AD Auth and Deny.
    1. From the General Purpose area, select SSO Credential Mapping, and click Add Item.
    2. Click Save.
    The SSO Credential Mapping makes the information from the session.logon.last.password variable available (for Citrix SSO).
  10. Add a Variable Assign action after the SSO Credential Mapping action. Use the Variable Assign action to pass the domain name for the Citrix Web Interface site so that a user is not repeatedly queried for it.
    1. Click Add new entry. An empty entry appears in the Assignment table.
    2. Click the change link next to the empty entry. A dialog box appears, where you can enter a variable and an expression.
    3. From the left-side list, select Custom Variable (the default), and type session.logon.last.domain.
    4. From the right-side list, select Custom Expression (the default), and type an expression expr {"DEMO.LON"}, to assign the domain name for the Citrix Web Interface site (where DEMO.LON is the domain name of the Citrix Web Interface site). Custom Variable session.logon.last.domain = Custom Expression expr{"DEMO.LON"}
    5. Click Finished to save the variable and expression, and return to the Variable Assign action screen.
  11. On the fallback path between the last action and Deny, click the Deny box, and then click Allow and Save.
  12. Click Close.

You should have an access policy that resembles either of these examples:

Example policy with an AD Auth action Example access policy with AD authentication, credential mapping, and Web Interface site domain assignment
Example policy with RSA Auth and AD Auth actions Configuring RSA SecurID authentication before AD authentication

Assigning connectivity resources to an access policy for Citrix integration

Before you start, create or select an access profile and open the associated access policy for edit.
Assign the webtop and Citrix remote desktop resources that you configured to a session so that XML Brokers associated with the resources can return the appropriate published resources for display on the webtop.
Note: This access policy shows how to use the Full Resource Assign action item to assign the resources. Alternatively, you can use the Resource Assign and Webtop and Links Assign action items.
  1. Click the (+) sign anywhere in the access policy to add a new action item. An Add Item screen opens, listing Predefined Actions that are grouped by General Purpose, Authentication, and so on.
  2. From General Purpose, select Full Resource Assign and click Add Item. The Properties screen opens.
  3. Click Add new entry. An Empty entry appears.
  4. Click the Add/Delete link below the entry. The screen changes to display resources that you can add and delete.
  5. Select the Remote Desktop Resources tab. A list of remote desktop resources is displayed.
  6. Select Citrix remote desktop resources and click Update. You are returned to the Properties screen where Remote Desktop and the names of the selected resources are displayed.
  7. Click Add new entry. An Empty entry appears.
  8. Click the Add/Delete link below the entry. The screen changes to display resources that you can add and delete.
  9. Select the Webtop tab. A list of webtops is displayed.
  10. Select a webtop and click Update. The screen changes to display Properties and the name of the selected webtop is displayed.
  11. Select Save to save any changes and return to the access policy.
Citrix remote desktop resource and an Access Policy Manager dynamic webtop, are now assigned to the session.

Adding Citrix Smart Access actions to an access policy

To perform this task, first select the access profile you created previously, and open the associated access policy for edit.
You can set one or more filters per Citrix Smart Access action. If you include multiple Citrix Smart Access actions in an access policy, Access Policy Manager accumulates the SmartAccess filters that are set throughout the access policy operation.
  1. Click the Add Item ( +) icon anywhere in your access profile to which you want to add the Citrix Smart Access action item. The Add Item screen opens.
  2. From General Purpose, select Citrix Smart Access and click Add Item. The Variable Assign: Citrix Smart Access properties screen opens.
  3. Type the name of a Citrix SmartAccess filter in the open row under Assignment. A filter can be any string. Filters are not hardcoded, but must match filters that are configured in the Citrix XenApp server for application access control or a user policy.
    Note: You must specify APM as the Access Gateway farm when you configure filters on the XenApp server.
  4. To add another filter, click Add entry and type the name of a Citrix filter in the open row under Assignment.
  5. When you are done adding filters, click Save to return to the Access Policy.
You now need to save the access policy and assign it to a virtual server.

Example access policy with Citrix SmartAccess filters

Here is a typical example access policy that uses Citrix SmartAccess filters to restrict access to published applications based on the result of client inspection. Client inspection can be as simple as IP Geolocation Match or Antivirus. The figure shows an access policy being configured with a Citrix Smart Access action to set a filter to antivirus after an antivirus check is successful.

Variable Assign:Citrix Smart Access is set to antivirus in this example. Example access policy with Citrix SmartAccess action and an antivirus check

Creating a connectivity profile

Create a connectivity profile to configure client connections for Citrix remote access.
  1. On the Main tab, click Access Policy > Secure Connectivity > Connectivity Profiles.
  2. Click Create. The New Profile screen opens.
  3. Type a Name for the connectivity profile.
  4. Leave the Parent Profile setting at the default option, connectivity.
  5. Click Finished.
The connectivity profile appears in the Connectivity Profile List.

Creating an external virtual server to support Citrix web and mobile clients

This virtual server supports Citrix traffic and responds to web and mobile client requests.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. In the Configuration area, from the HTTP Profile list, select http.
  8. For the Stream Profile setting, retain the default profile, stream.
  9. For the SSL Profile (Client) setting, from the Available list, select an SSL profile with an SSL certificate that the clients trust and use the Move button to move the name to the Selected list.
  10. Depending on the APM version that you have, do one of the following:
    • From the SNAT Pool list, select Auto Map.
    • From the Source Address Translation list, select Auto Map.
  11. In the Access Policy area, from the Access Profile list, select the access profile.
  12. In the Access Policy area, from the Connectivity Profile list, select the connectivity profile.
  13. Depending on the APM version that you have, select the Citrix Support or the Citrix & Java Support check box.
  14. To support Citrix Receiver (for Windows and Linux) clients, from the Default Pool list, select the name of the pool that you created previously. If you include multiple Citrix remote desktop resources in your configuration, select the pool that is associated with the first Citrix remote desktop resource (when listed alphabetically by Citrix remote desktop resource name).
  15. Click Finished.
The access policy is now associated with the virtual server.

Creating a data group for Citrix Receiver (Windows and Linux) clients

Perform this task only when you need to support Citrix Receiver Windows and Linux clients on Access Policy Manager® and you are integrating APM™ with Citrix XML Brokers. This task creates a data group that associates the external virtual server with an iRule to accomplish the support.
  1. On the Main tab, click Local Traffic > iRules > Data Group List. The Data Group List screen opens, displaying a list of data groups on the system.
  2. Click Create. The New Data Group screen opens.
  3. In the Name field, type APM_Citrix_PNAgentProtocol. Type the name exactly as shown.
  4. From the Type list, select String.
  5. In the Records area, create this string record.
    1. In the String field, type the FQDN of the APM of the external virtual server (using lowercase characters only).
    2. In the Value field, type the number 1.
    3. Click Add.
  6. Click Finished. The new data group appears in the list of data groups.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)