Applies To:

Show Versions Show Versions

Manual Chapter: Integrating APM with Citrix XML Brokers
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Integrating APM with Citrix XML Brokers

Overview: Integrating APM with Citrix XML Brokers with SmartAccess support

In this implementation, you integrate Access Policy Manager® (APM®) with Citrix XML Brokers and present Citrix published applications on an APM dynamic webtop.

Traffic flow in APM configuration to integrate with Citrix XML Brokers

APM integration with Citrix XML Brokers

  1. A user (client browser or Citrix Receiver) requests access to applications.
  2. The virtual server starts an access policy that performs authentication and sets SmartAccess filters.
  3. The virtual server sends the authenticated request and filters to a Citrix XML Broker.
  4. An XML Broker returns a list of allowed applications to the external virtual server.
  5. The virtual server renders and displays the user interface to the client on an Access Policy Manager webtop.

Supported authentication

For Citrix Receiver Windows and Linux clients: only Active Directory authentication is supported.

For Citrix Receiver clients for iOS, Android, and Mac: Active Directory, or both RSA and Active Directory authentication is supported.

For web clients, you are not restricted in the type of authentication you use.

About APM dynamic webtop for Citrix XML Brokers

A dynamic webtop enables Access Policy Manager® (APM®) to act as a presentation layer for Citrix published resources. APM communicates directly with Citrix XML Brokers, retrieves a list of published resources, and displays them to the user on a dynamic webtop.

The addresses of XML Brokers are configured in pools on APM. A pool includes addresses from one Citrix farm. You specify a pool as a destination in a Citrix remote desktop resource. Each resource logically represents a Citrix farm. You can assign multiple resources to a user, enabling the user to access Citrix applications from multiple Citrix farms.

About Client Type

The Client Type action determines whether the client is using a full browser, the BIG-IP® Edge Client, or another client to access the Access Policy Manager® (APM®). This action makes it possible to specify different actions for different client types in one access policy and, as a result, to use one virtual server for traffic from different client types. This figure shows the Client Type action as it looks when first added to an access policy.

What the Client Type action looks like when initially added to an access policy

Client Type

By default, the Client Type action includes these branches:

Edge Portal
Indicates that the user is connecting with the BIG-IP® Edge Portal® mobile app.
Edge Client
Indicates that the user is connecting with the BIG-IP® Edge Client® or BIG-IP Edge Client app, supported on multiple devices and operating systems.
Citrix Receiver
Indicates that the user is connecting using a later Citrix Receiver client.
Citrix Receiver (legacy)
Indicates that the user is connecting using an earlier Citrix Receiver client (identified with PN Agent).
VMware View
Indicates that the user is connecting using a VMware Horizon View client.
Full or Mobile Browser
Indicates the user is connecting with a Windows web browser or a mobile browser.
Windows Inbox F5 VPN Client
Indicates the user is connecting using the Windows Inbox F5 VPN client.
fallback
Indicates the user is connecting with another method.

APM supports the client types on multiple operating systems. Refer to AskF5™ (support.f5.com) to look up the supported operating systems and versions in the compatibility matrix for your version of APM.

Note: To create additional branching for a client type based on operating system, you can add a client operating system (Client OS) action on the client type branch.

About Citrix client bundles in APM

A Citrix client bundle enables delivery of a Citrix Receiver client to a user's Windows computer when a client is not currently installed, or when a newer client is available. Access Policy Manager® (APM®) detects whether the Citrix Receiver client is present and redirects users to a download URL, or downloads a Citrix Receiver client that you have uploaded.

In Access Policy Manager, you specify the Citrix client bundle in a connectivity profile. By default, a connectivity profile includes the default Citrix bundle, /Common/default-citrix-client-bundle, which contains a download URL, receiver.citrix.com.

Note: You can upload Citrix Receiver clients from the Application Access area of Access Policy Manager.

About APM SSO support for Citrix clients

Access Policy Manager® (APM®) supports two single sign-on options for Citrix that provide password-less authentication:

  • Kerberos - Supports any kind of password-less authentication on APM: SmartCard, RSA PIN, client SSL certificate, and so on. Citrix supports Kerberos only for XenApp.
  • SmartCard - Citrix supports SmartCard for XenDesktop. Citrix also supports SmartCard for XenApp.
    Note: When using SmartCard with XenApp, a user is prompted for a SmartCard PIN twice: once when logging in to APM and again when starting a Citrix application.

These options work in APM only when:

  • Citrix is configured to support SmartCard SSO (with Kerberos) or SmartCard.
  • Citrix requirements for using SmartCard SSO or SmartCard are met.

About the iApp for Citrix integration with APM

An iApps® template is available for configuring Access Policy Manager® and Local Traffic Manager™ to integrate with Citrix applications. The template can be used on the BIG-IP® system to create an application service that is capable of performing complex configurations. You can download the template from the F5® DevCentral™ iApp Codeshare wiki at https://devcentral.f5.com/wiki/iApp.Citrix-Applications.ashx. A deployment guide is also available there.

Task summary for XML Broker integration with APM

Ensure that you configure the Citrix components in the Citrix environment, in addition to configuring the BIG-IP® system to integrate with Citrix XML Brokers.

Perform these tasks on the BIG-IP system so that Access Policy Manager® can present Citrix published resources on a dynamic webtop.

Task list

Creating a pool of Citrix XML Brokers

Create one pool of XML Brokers for each Citrix farm that you want to support.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, using the New Members setting, add each resource that you want to include in the pool:
    1. Either type an IP address in the Address field, or select a preexisting node address from the Node List.
    2. If access to the XML Broker is through SSL, in the Service Port field, type 443 or select HTTPS from the list; otherwise, type 80 or select HTTP from the list.
    3. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Configuring a Citrix remote desktop resource

Create one Citrix remote desktop resource for each Citrix farm that you want to support.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops > Remote Desktops List .
    The Remote Desktops list opens.
  2. Click Create.
    The New Resource screen opens.
  3. Type a name for the remote desktop resource.
  4. For the Type setting, retain the default Citrix.
  5. For the Destination setting, select Pool and select the pool that you created previously.
  6. In the Single Sign-On area, select the Enable SSO check box for single sign-on to a Citrix XML Broker after logging in to Access Policy Manager® (APM®).
    1. From the SSO Method list, select the type of single sign-on to use, either Password-based, Kerberos, SmartCard, or Anonymous.
      The Kerberos and SmartCard options enable password-less authentication. You cannot use either of them successfully unless Citrix is configured for SmartCard SSO (Kerberos) or SmartCard.
      The fields that are displayed vary based on this selection.
    2. In the Username Source field, accept the default or type the session variable to use as the source for the SSO user name.
    3. In the Password Source field, accept the default or type the session variable to use as the source for the SSO user password.
    4. In the Domain Source field, accept the default or type the session variable to use as the source for the SSO user domain.
    5. From the Kerberos SSO list, select a Kerberos SSO configuration that has already been configured.
  7. In the Customization Settings for language_name area, type a Caption.
    The caption is the display name of the Citrix resource on the APM webtop.
  8. Click Finished.
    All other parameters are optional.
This creates the Citrix remote desktop resource.

Configuring a dynamic webtop

A dynamic webtop allows you to see a variety of resources protected by Access Policy Manager®, including Citrix Published Applications.
  1. On the Main tab, click Access Policy > Webtops .
    The Webtops screen displays.
  2. Click Create.
    The New Webtop screen opens.
  3. In the Name field, type a name for the webtop.
  4. From the Type list, select Full.
    The Configuration area displays with additional settings configured at default values.
  5. Click Finished.
The webtop is now configured, and appears in the webtop list.

Creating an access policy for Citrix SSO (APM dynamic webtop)

Before you can create an access policy for Citrix single sign-on (SSO), you must meet these requirements:
  • Configure the appropriate AAA servers to use for authentication.
    Note: An Active Directory AAA server must include the IP address of the domain controller and the FQDN of the Windows domain name. If anonymous binding to Active Directory is not allowed in your environment, you must provide the admin name and password for the Active Directory AAA server.
  • Create an access profile using default settings.
You configure an access policy to authenticate a user and enable single sign-on (SSO) to Citrix published resources.
Note: APM® supports different types of authentication depending on the client type. This access policy shows how to use the Client Type action to configure authentication for legacy Citrix Receiver clients (Windows and Linux), and later Citrix Receiver clients (iOS, Mac, and Android) in the same access policy.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type client in the search field, and select Client Type from the results.
    A properties screen displays.
  5. Click Save.
  6. On the properties screen, on the Logon tab, select an access policy as appropriate:
    • Logon Page: Specify this if you allow one-factor password authentication with a single logon prompt containing one password field.
    • Citrix Logon Prompt: Specify this if you allow two-factor password authentication with a single logon prompt containing two password fields.
  7. Click Save.
    The properties screen closes, and the Client Type action and Logon action displays in the visual policy editor.
  8. To configure actions for Citrix Receiver for Windows and Linux clients, perform these substeps.
    Note: Citrix Receiver for Windows version 3.4 and later, and Citrix Receiver for Linux, version 13 and later, support Active Directory authentication only.
    1. Click the (+) icon on the Citrix Receiver (legacy) branch after the Client Type action.
    2. On the Logon tab, select either Logon Page or Citrix Logon Prompt, and click Add Item.
      A properties screen displays. The default page settings are acceptable.
    3. Click Save.
    4. After the Logon Page action, add an SSO Credential Mapping action with default settings.
    5. After the SSO Credential Mapping action, click the (+) icon.
    6. Type var into the search field, select Variable Assign from the results, and click Add Item.
      Use the Variable Assign action to pass the domain name for the Citrix remote desktop resource so that a user is not repeatedly queried for it.
      A properties screen opens.
    7. Click Add new entry.
      An empty entry appears in the Assignment table.
    8. Click the change link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    9. From the left-side list, retain the Custom Variable setting, and type session.logon.last.domain.
    10. From the right-side list, retain the Custom Expression setting, and type expr {"example.com"} to assign the domain name for the Citrix remote desktop resource (where example.com is the domain name of the resource).
      The Citrix remote desktop resource equates to an XML Broker that is selected from a pool.
    11. Click Finished.
    12. Click Save.
    13. After the previous action, click the Deny ending, and select the Allow ending.
    The access policy branch for legacy Citrix Receiver clients is complete.
  9. To configure actions for Citrix Receiver for iOS, Android, and Mac, complete the remaining steps.
    Citrix Receiver for iOS, Android, and Mac, support both RSA SecurID and AD Auth authentication. This example shows how to use both.
  10. After the Client Type action, on the Citrix Receiver branch, click the (+) icon.
  11. On the Logon tab, select either Logon Page, and click Add Item.
  12. Customize the Logon Page to accept an RSA token and an Active Directory password:
    1. In row 2: From the Type list, select password; in the Post Variable Name field, type password1; in the Session Variable Name field, type password1.
      APM stores the text that a user types into this field in the session.logon.last.password1 session variable.
      You have added another password field to the logon page.
    2. In Login Page Input Field #2, type Password.
      You replaced the existing prompt for the first password field.
    3. In Login Page Input Field #3, type Passcode.
      You provided a prompt for the second password field.
  13. To add RSA SecurID authentication, click the plus (+) icon between Logon Page and Deny:
    1. Type rsa in the search field, select RSA SecurID from the results, and click Add Item.
    2. From the Server list, select the AAA RSA SecurID server that you created previously and click Save.
      The properties screen closes.
    3. After the RSA SecurID action, add a Variable Assign action.
      Use the Variable Assign action to move the AD password into the session.logon.last.password session variable; the authentication agent requires this.
      A Variable Assign properties page opens.
    4. Click Add new entry.
      An empty entry appears in the Assignment table.
    5. Click the change link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    6. From the left-side list, retain the Custom Variable setting, and type session.logon.last.password.
    7. From the right-side list, retain the Custom Expression setting, and type expr { "[mcget -secure session.logon.last.password1]" }. For two-factor authentication, type expr {[mcget {session.logon.last.password1}]} .
      Variable Assign add entry screenshot
    8. Click Finished to save the variable and expression, and return to the Variable Assign action screen.
    9. Click Save.
  14. After the previous action, add an AD Auth action and configure properties for it:
    1. From the AAA Server list, select the AAA server that you created previously.
    2. If you are using Android Citrix receiver with a disabled session ID rotation in APM, you must set Max Logon Attempts to 1.
    3. Configure the rest of the properties as applicable to your configuration, and click Save.
  15. Click the Add Item (+) icon between AD Auth and Deny.
    1. On the Assignment tab, select SSO Credential Mapping, and click Add Item.
    2. Click Save.
    The SSO Credential Mapping makes the information from the session.logon.last.password variable available for Citrix SSO.
  16. Add a Variable Assign action after the SSO Credential Mapping action.
    Use the Variable Assign action to pass the domain name for an XML Broker so that a user is not repeatedly queried for it.
    1. Click Add new entry.
      An empty entry appears in the Assignment table.
    2. Click the change link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    3. From the left-side list, select Custom Variable (the default), and type session.logon.last.domain.
    4. From the right-side list, select Custom Expression (the default), and type an expression expr {"example.com"}.
    5. Click Finished to save the variable and expression, and return to the Variable Assign action screen.
  17. On the fallback path between the last action and Deny, click Deny, and then click Allow and Save.
    The access policy branch for the Citrix Receiver client type is complete.
  18. Click the Apply Access Policy link to apply and activate the changes to the access policy.
  19. Click Close.

You should have an access policy that contains actions for both Citrix Receiver client types.

Access profile with different actions on Citrix Receiver and Citrix Receiver (legacy) branches

Example access policy for legacy Citrix Receiver clients and later Citrix Receiver clients

To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Assigning Citrix resources to an access policy for Citrix integration

Before you assign Citrix resources to an access policy for integration, create or select an access profile, and open the associated access policy for edit.
Assign the webtop and Citrix remote desktop resources that you configured to a session so that XML Brokers associated with the resources can return the appropriate published resources for display on the webtop.
Note: This access policy shows how to use the Advanced Resource Assign action item to assign the resources. Alternatively, you can use the Resource Assign and Webtop, Links and Sections Assign action items.
  1. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  2. On the Assignment tab, select Advanced Resource Assign and click Add Item.
    The properties screen opens.
  3. Click Add new entry.
    An Empty entry displays.
  4. Click the Add/Delete link below the entry.
    The screen changes to display resources that you can add and delete.
  5. Select the Remote Desktop tab.
    A list of remote desktop resources is displayed.
  6. Select Citrix remote desktop resources and click Update.
    You are returned to the properties screen where Remote Desktop and the names of the selected resources are displayed.
  7. Click Add new entry.
    An Empty entry displays.
  8. Click the Add/Delete link below the entry.
    The screen changes to display resources that you can add and delete.
  9. Select the Webtop tab.
    A list of webtops is displayed.
  10. Select a webtop and click Update.
    The screen changes to display properties and the name of the selected webtop is displayed.
  11. Select Save to save any changes and return to the access policy.
Citrix remote desktop resource and an Access Policy Manager® (APM®) dynamic webtop, are now assigned to the session.

Adding Citrix Smart Access actions to an access policy

To perform this task, first select the access profile you created previously, and open the associated access policy for edit.
You can set one or more filters per Citrix Smart Access action. If you include multiple Citrix Smart Access actions in an access policy, Access Policy Manager accumulates the SmartAccess filters that are set throughout the access policy operation.
  1. Click the( +) icon anywhere in your access profile to which you want to add the Citrix Smart Access action item.
    The Add Item screen opens.
  2. From General Purpose, select Citrix Smart Access and click Add Item.
    The Variable Assign: Citrix Smart Access properties screen opens.
  3. Type the name of a Citrix SmartAccess filter in the open row under Assignment.
    A filter can be any string. Filters are not hardcoded, but must match filters that are configured in the XenApp™ server for application access control or a user policy.
    Note: In the XenApp server, you must specify APM as the Access Gateway farm when you configure filters.
  4. To add another filter, click Add entry and type the name of a Citrix filter in the open row under Assignment.
  5. When you are done adding filters, click Save to return to the Access Policy.
  6. Click the Apply Access Policy link to apply and activate the changes to the access policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Example access policy with Citrix SmartAccess filters

Here is a typical example access policy that uses Citrix SmartAccess filters to restrict access to published applications based on the result of client inspection. Client inspection can be as simple as IP Geolocation Match or Antivirus. The figure shows an access policy being configured with a Citrix Smart Access action to set a filter to antivirus after an antivirus check is successful.

Variable Assign:Citrix Smart Access is set to antivirus in this example.

Example access policy with Citrix SmartAccess action and an antivirus check

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Adding a connectivity profile

Create a connectivity profile to configure client connections for Citrix remote access.
Note: A Citrix client bundle provides an installable Citrix Receiver client. The default parent connectivity profile includes a default Citrix client bundle.
  1. On the Main tab, click Access Policy > Secure Connectivity .
    A list of connectivity profiles displays.
  2. Click Add.
    The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a Profile Name for the connectivity profile.
  4. From the Parent Profile list, select the default profile, connectivity.
  5. To use a Citrix bundle that you have configured, select Citrix Client Settings from the left pane and select the bundle from the Citrix Client Bundle list in the right pane.
    The default Citrix client bundle is included if you do not perform this step.
  6. Click OK.
    The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile appears in the Connectivity Profile List.

Adding Citrix Receiver for HTML5 to a connectivity profile

Download the Citrix Receiver for HTML5 from the Citrix website.
You add Citrix Receiver for HTML5 to a Citrix bundle and add the bundle to a connectivity profile so that APM® can deliver Citrix Receiver for HTML5 to clients.
  1. From the command line, type msiexec /a filepath to MSI file /qb TARGETDIR=filepath to target folder .
  2. On the Main tab, click Access Policy > Application Access > Remote Desktops > Citrix Client Bundles .
    1. In the Name field, type a name that includes html5.
    2. From the Source list, select Windows Package File.
    3. Click Choose File and upload the file ./Citrix/HTML5 Management/HTML5Client.zip.
  3. On the Main tab, click Access Policy > Secure Connectivity .
    1. Click the Connectivity Profile List tab.
    2. Select the connectivity profile you want to update.
    3. Click Edit Profile.
      A popup screen opens.
    4. Click Citrix Client Settings.
    5. From the Citrix Client Bundle list, select the bundle with html5 in its name.
  4. On the Main tab, click Access Policy > Hosted Content > Manage Profile Access .
    1. Click the checkbox next to the Access Profile that is associated with the Citrix Virtual Server.
    2. Click OK.
The Citrix Receiver for HTML5 is included in a bundle with a particular connectivity profile.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Creating a virtual server to support Citrix web and mobile clients

This virtual server supports Citrix traffic and responds to web and mobile client requests.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. For the SSL Profile (Client) setting, from the Available list, select an SSL profile with an SSL certificate that the clients trust, and use the Move button to move the name to the Selected list.
  8. If access to XML Brokers requires SSL, then for the SSL Profile (Server) setting, select an SSL profile.
  9. From the Source Address Translation list, select Auto Map.
  10. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  11. In the Access Policy area, from the Connectivity Profile list, select the connectivity profile.
  12. From the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  13. Click Finished.
The access policy is now associated with the virtual server.

Overview: Giving APM users time to enter a Smart Card PIN

If you have configured Access Policy Manager® for smart card authentication and your users cannot enter a PIN before the SSL handshake times out, they can experience problems such as browser failure or errors because the BIG-IP® system sends a TCP reset after the SSL handshake times out. You can mitigate this problem by increasing the handshake timeout in the client SSL profile.

Updating the handshake timeout in a Client SSL profile

By default, a client SSL profile provides a 10-second SSL handshake timeout. You might need to modify the timeout to give users more or less time for the SSL handshake to complete.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. In the Name column, click the name of the profile you want to modify.
  3. From the Configuration list, select Advanced.
  4. Scroll down to Handshake Timeout and select the Custom check box.
    Additional settings become available.
  5. To limit the timeout to a number of seconds, select Specify from the list, and type the desired number in the seconds field.
    In the list, the value Indefinite specifies that the system continue trying to establish a connection for an unlimited time. If you select Indefinite, the seconds field is no longer available.
  6. Click Update.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)