When integrated with Citrix, Access Policy Manager® (APM™) performs authentication (and, optionally uses SmartAccess filters) to control access to Citrix published applications. APM supports these types of integration with Citrix:
To integrate Access Policy Manager® with Citrix, you must meet specific configuration requirements for Citrix as described here.
The address can be the IP address or the FQDN. If you use HTTPS, make sure to use the FQDN that you use in the SSL certificate on the BIG-IP system.
|Allow connections made through Access Gateway||enabled|
|Access Gateway Farm||APM|
|Access Gateway Filter||The value must match the literal string that Access Policy Manager sets during access policy operation (through the Citrix SmartAccess action item)|
|Connection Type||With Access Gateway|
|Access Gateway Farm||APM|
|Access Gateway Filter||The value must match the literal string that Access Policy Manager sets during access policy execution (through the Citrix SmartAccess action item)|
To support Citrix Receivers for Mac, iOS, and Android, you must meet specific configuration requirements for the Citrix Receiver client.
To support Citrix Receiver for Windows and Linux clients, you must meet specific configuration requirements for the Citrix Receiver client, as described here.
Access Policy Manager® (APM®) supports single sign-on (SSO) for XenApp and XenDesktop clients that connect through an APM dynamic webtop. SSO for XenApp is supported with the Kerberos SSO method. SSO for XenDesktop is supported with either the Kerberos SSO or the SmartCard method.
To use the SSO options that APM supports, you must meet specific configuration requirements for Citrix as described here:
On Citrix XenApp or Storefront servers, administrators can provide application names using various languages, some of which use non-ASCII character sets. When using a supported Wyse Zenith Zero client with F5® BIG-IP® APM® Secure Proxy, if an application name was specified using a non-ASCII character set, it can display as ????. If this occurs, it indicates a mismatch between that character set and the character set configured for the keyboard in the peripheral settings on the client.
To view an application name in its correct format, the character set configured for the keyboard on the client must match the language in which the name is specified on the server.
For example, for an application name that is specified in Arabic on the server, peripheral settings for the keyboard on the client must specify character set cp1256. Similarly, for an application name in Cyrillic on the server, the character set specified on the client must be cp1251. Refer to product documentation for the Wyse Xenith Zero client for definitive information.
On Citrix XenApp or Storefront servers, administrators can use StoreFront proxy with native protocol. APM administrators can use either Secure Ticket Authority (STA) tickets or ICA patching, but need to configure both APM and StoreFront.
In ICA patching mode, the admin must ensure that APM does not act as a gateway in StoreFront. Besides that, ICA patching mode clients can access all StoreFront stores. Configuring APM as a gateway can break the client authentication.