Manual Chapter : Integrating APM with Citrix XML Brokers

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.1
Manual Chapter

Overview: Integrating APM with Citrix XML Brokers with SmartAccess support

In this implementation, you integrate Access Policy Manager (APM) with Citrix XML Brokers and present Citrix published applications on an APM dynamic webtop.

Traffic flow in APM configuration to integrate with Citrix XML Brokers APM integration with Citrix XML Brokers
  1. A user (client browser or Citrix Receiver) requests access to applications.
  2. The virtual server starts an access policy that performs authentication and sets SmartAccess filters.
  3. The virtual server sends the authenticated request and filters to a Citrix XML Broker.
  4. An XML Broker returns a list of allowed applications to the external virtual server.
  5. The virtual server renders and displays the user interface to the client on an Access Policy Manager webtop.

Supported authentication

For Citrix Receiver Windows and Linux clients: only Active Directory authentication is supported.

For Citrix Receiver clients for iOS, Android, and Mac: Active Directory, or both RSA and Active Directory authentication is supported.

For web clients, you are not restricted in the type of authentication you use.

About APM dynamic webtop for Citrix XML Brokers

A dynamic webtop enables Access Policy Manager (APM) to act as a presentation layer for Citrix published resources. APM communicates directly with Citrix XML Brokers, retrieves a list of published resources, and displays them to the user on a dynamic webtop.

The addresses of XML Brokers are configured in pools on APM. A pool includes addresses from one Citrix farm. You specify a pool as a destination in a Citrix remote desktop resource. Each resource logically represents a Citrix farm. You can assign multiple resources to a user, enabling the user to access Citrix applications from multiple Citrix farms.

How to specify different actions for different clients

The Client Type action determines whether the client is using a full browser, the BIG-IP Edge Client, or another client to access the Access Policy Manager. (APM) This action makes it possible for you to specify different actions for different client types in one access policy. As a result, when you add such an access policy to a virtual server, you can then use one virtual server for traffic from different client types. This figure shows the Client Type action as it looks when first added to an access policy.

What the Client Type action looks like after you first add it to an access policy Client Type action

By default, the Client Type action includes these branches:

Edge Portal
Indicates that the user is connecting with the BIG-IP Edge Portal mobile app.
Edge Client
Indicates that the user is connecting with the BIG-IP Edge Client or BIG-IP Edge Client app, supported on multiple devices and operating systems.
Citrix Receiver
Indicates that the user is connecting using a later Citrix Receiver client.
Citrix Receiver (legacy)
Indicates that the user is connecting using an earlier Citrix Receiver client (identified with PN Agent).
VMware View
Indicates that the user is connecting using a VMware Horizon View client.
Full or Mobile Browser
Indicates the user is connecting with a Windows web browser or a mobile browser.
Windows Inbox F5 VPN Client
Indicates the user is connecting using the Windows Inbox F5 VPN client.
fallback
Indicates the user is connecting with another method.

APM supports the client types on multiple operating systems. Refer to AskF5 (support.f5.com) to look up the supported operating systems and versions in the compatibility matrix for your version of APM.

Note: To create additional branching for a client type based on operating system, you can add a client operating system (Client OS) action on the client type branch.

About Citrix client bundles in APM

A Citrix client bundle enables delivery of a Citrix Receiver client to a user's Windows computer when a client is not currently installed, or when a newer client is available. Access Policy Manager (APM) detects whether the Citrix Receiver client is present and redirects users to a download URL, or downloads a Citrix Receiver client that you have uploaded.

In Access Policy Manager, you specify the Citrix client bundle in a connectivity profile. By default, a connectivity profile includes the default Citrix bundle, /Common/default-citrix-client-bundle, which contains a download URL, receiver.citrix.com.

Note: You can upload Citrix Receiver clients from the Application Access area of Access Policy Manager.

About auto logon from APM dynamic webtop and authentication

Access Policy Manager supports two auto logon options for Citrix that provide password-less authentication:

  • Kerberos - Supports any kind of password-less authentication on APM: SmartCard, RSA PIN, client SSL certificate, and so on. Citrix supports Kerberos only for XenApp.
  • SmartCard - Citrix supports SmartCard for XenDesktop. Citrix also supports SmartCard for XenApp.
    Note: When using SmartCard with XenApp, a user is prompted for a SmartCard PIN twice: once when logging in to APM and again when starting a Citrix application.
These options work in APM only when:
  • Citrix is configured to support SmartCard SSO (with Kerberos) or SmartCard.
  • Citrix requirements for using SmartCard SSO or SmartCard are met.

Task summary for XML Broker integration with APM

Ensure that you configure the Citrix components in the Citrix environment, in addition to configuring the BIG-IP system to integrate with Citrix XML Brokers.

Perform these tasks on the BIG-IP system so that Access Policy Manager can present Citrix published resources on a dynamic webtop.

Task list

Creating a pool of Citrix XML Brokers

Create one pool of XML Brokers for each Citrix farm that you want to support.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, using the New Members setting, add each resource that you want to include in the pool:
    1. Either type an IP address in the Address field, or select a preexisting node address from the Node List.
    2. If access to the XML Broker is through SSL, in the Service Port field, type 443 or select HTTPS from the list; otherwise, type 80 or select HTTP from the list.
    3. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Configuring a Citrix remote desktop resource

Create one Citrix remote desktop resource for each Citrix farm that you want to support.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops. The Remote Desktops list opens.
  2. Click Create. The New Resource screen opens.
  3. Type a name for the remote desktop resource.
  4. For the Type setting, retain the default Citrix.
  5. For the Destination setting, select Pool and select the pool that you created previously.
  6. In the Auto Logon area, select the Enable check box to automatically log on to a Citrix XML Broker.
    1. From the Broker Authentication list, select the type of authentication to use, either Password-based, Kerberos, or SmartCard. The Kerberos and SmartCard options enable password-less authentication. You cannot use either of them successfully unless Citrix is configured for SmartCard SSO (Kerberos) or SmartCard. The fields that are displayed vary based on this selection.
    2. In the Username Source field, accept the default or type the session variable to use as the source for the auto logon user name.
    3. In the Password Source field, accept the default or type the session variable to use as the source for the auto logon user password.
    4. In the Domain Source field, accept the default or type the session variable to use as the source for the auto logon user domain.
    5. From the Kerberos SSO list, select a Kerberos SSO configuration that has already been configured.
  7. In the Customization Settings for language_name area, type a Caption. The caption is the display name of the Citrix resource on the APM webtop.
  8. Click Finished. All other parameters are optional.
This creates the Citrix remote desktop resource.

Configuring a dynamic webtop

A dynamic webtop allows you to see a variety of resources protected by Access Policy Manager, including Citrix Published Applications.
  1. On the Main tab, click Access Policy > Webtops.
  2. Click Create.
  3. Type a name for the webtop.
  4. From the Type list, select Full.
  5. Click Finished.
The webtop is now configured, and appears in the webtop list.

Creating an access policy for Citrix SSO (APM dynamic webtop)

Before you can create an access policy for Citrix single sign-on (SSO), you must meet these requirements:
  • Configure the appropriate AAA servers to use for authentication.
    Note: An Active Directory AAA server must include the IP address of the domain controller and the FQDN of the Windows domain name. If anonymous binding to Active Directory is not allowed in your environment, you must provide the admin name and password for the Active Directory AAA server.
  • Create an access profile using default settings.
Configure an access policy to authenticate a user and enable single sign-on (SSO) to Citrix published resources.
Note: APM supports different types of authentication depending on the client type. This access policy shows how to use the Client Type action to configure authentication for legacy Citrix Receiver clients (Windows and Linux) and later Citrix Receiver clients (iOS, Mac, and Android) in the same access policy.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type client in the search field and select Client Type from the results. A properties screen displays.
  5. Click Save. The properties screen closes and the Client Type action displays in the visual policy editor.
  6. To configure actions for Citrix Receiver for Windows and Linux clients, perform these substeps.
    Note: Citrix Receiver for Windows and Citrix Reciver for Linux support Active Directory authentication only.
    1. Click the (+) icon on the Citrix Receiver (legacy) branch after the Client Type action.
    2. On the Logon tab, select Logon Page, and click Add Item. A properties screen displays. The default logon page settings are acceptable.
    3. Click Save.
    4. After the Logon Page action, add an SSO Credential Mapping action with default settings.
    5. After the SSO Credential Mapping action, click the (+) icon.
    6. Type var into the search field, select Variable Assign from the results, and click Add Item. Use the Variable Assign action to pass the domain name for the Citrix remote desktop resource so that a user is not repeatedly queried for it. A properties screen opens.
    7. Click Add new entry. An empty entry appears in the Assignment table.
    8. Click the change link next to the empty entry. A dialog box appears, where you can enter a variable and an expression.
    9. From the left-side list, retain the Custom Variable setting, and type session.logon.last.domain.
    10. From the right-side list, retain the Custom Expression setting and type expr { "[example.com] }" to assign the domain name for the Citrix remote desktop resource (where example.com is the domain name of the resource). The Citrix remote destop resource equates to an XML Broker that is selected from a pool.
    11. Click Finished.
    12. Click Save.
    13. After the previous action, click the Deny ending and select the Allow ending.
    The access policy branch for legacy Citrix Receiver clients is complete.
  7. To configure actions for Citrix Receiver for iOS, Android, and Mac, complete the remaining steps. Citrix Receiver for iOS, Android, and Mac, support both RSA SecurID and AD Auth authentication. This example shows how to use both.
  8. After the Client Type action, on the Citrix Receiver branch, click the (+) icon.
  9. On the Logon tab, select Logon Page, and click Add Item.
  10. Customize the Logon Page to accept an RSA token and an Active Directory password:
    1. In row 3: From the Type list, select password; In the Post Variable Name field, type password1; In the Session Variable Name field, type password1. APM stores the text that a user types into this field in the session.logon.last.password1 session variable. You have added another password field to the logon page.
    2. In Login Page Input Field #2, type RSA Token. You replaced the existing prompt for the first password field.
    3. In Login Page Input Field #3, type AD Password. You provided a prompt for the second password field.
  11. To add RSA SecurID authentication, click the plus (+) icon between Logon Page and Deny:
    1. Type rsa in the search field, select RSA SecurID from the results, and click Add Item.
    2. From the Server list, select the AAA RSA SecurID server that you created previously and click Save. The properties screen closes.
    3. After the RSA SecurID action, add a Variable Assign action. Use the Variable Assign action to move the AD password into the session.logon.last.password session variable; the authentication agent requires this. A Variable Assign properties page opens.
    4. Click Add new entry. An empty entry appears in the Assignment table.
    5. Click the change link next to the empty entry. A dialog box appears, where you can enter a variable and an expression.
    6. From the left-side list, retain the Custom Variable setting, and type session.logon.last.password.
    7. From the right-side list, retain the Custom Expression setting, and type expr { "[mcget -secure session.logon.last.password1] }". Variable Assign add entry screenshot
    8. Click Finished to save the variable and expression, and return to the Variable Assign action screen.
    9. Click Save.
  12. After the previous action, add an AD Auth action and configure properties for it:
    1. From the AAA Server list, select the AAA server that you created previously.
    2. To support Citrix Receiver clients, you must set Max Logon Attempts to 1.
    3. Configure the rest of the properties as applicable to your configuration and click Save.
  13. Click the Add Item (+) icon between AD Auth and Deny.
    1. On the Assignment tab, select SSO Credential Mapping, and click Add Item.
    2. Click Save.
    The SSO Credential Mapping makes the information from the session.logon.last.password variable available for Citrix SSO.
  14. Add a Variable Assign action after the SSO Credential Mapping action. Use the Variable Assign action to pass the domain name for an XML Broker so that a user is not repeatedly queried for it.
    1. Click Add new entry. An empty entry appears in the Assignment table.
    2. Click the change link next to the empty entry. A dialog box appears, where you can enter a variable and an expression.
    3. From the left-side list, select Custom Variable (the default), and type session.logon.last.domain.
    4. From the right-side list, select Custom Expression (the default), and type an expression expr {"example.com"}.
    5. Click Finished to save the variable and expression, and return to the Variable Assign action screen.
  15. On the fallback path between the last action and Deny, click Deny, and then click Allow and Save. The access policy branch for the Citrix Receiver client type is complete.
  16. Click the Apply Access Policy link to apply and activate the changes to the access policy.
  17. Click Close.

You should have an access policy that contains actions for both Citrix Receiver client types.

Example access policy for legacy Citrix Receiver clients and later Citrix Receiver clients

Assigning Citrix resources to an access policy for Citrix integration

Before you start, create or select an access profile and open the associated access policy for edit.
Assign the webtop and Citrix remote desktop resources that you configured to a session so that XML Brokers associated with the resources can return the appropriate published resources for display on the webtop.
Note: This access policy shows how to use the Advanced Resource Assign action item to assign the resources. Alternatively, you can use the Resource Assign and Webtop and Links Assign action items.
  1. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  2. On the Assignment tab, select Advanced Resource Assign and click Add Item. The properties screen opens.
  3. Click Add new entry. An Empty entry displays.
  4. Click the Add/Delete link below the entry. The screen changes to display resources that you can add and delete.
  5. Select the Remote Desktop tab. A list of remote desktop resources is displayed.
  6. Select Citrix remote desktop resources and click Update. You are returned to the properties screen where Remote Desktop and the names of the selected resources are displayed.
  7. Click Add new entry. An Empty entry displays.
  8. Click the Add/Delete link below the entry. The screen changes to display resources that you can add and delete.
  9. Select the Webtop tab. A list of webtops is displayed.
  10. Select a webtop and click Update. The screen changes to display properties and the name of the selected webtop is displayed.
  11. Select Save to save any changes and return to the access policy.
Citrix remote desktop resource and an Access Policy Manager (APM) dynamic webtop, are now assigned to the session.

Adding Citrix Smart Access actions to an access policy

To perform this task, first select the access profile you created previously, and open the associated access policy for edit.
You can set one or more filters per Citrix Smart Access action. If you include multiple Citrix Smart Access actions in an access policy, Access Policy Manager accumulates the SmartAccess filters that are set throughout the access policy operation.
  1. Click the( +) icon anywhere in your access profile to which you want to add the Citrix Smart Access action item. The Add Item screen opens.
  2. From General Purpose, select Citrix Smart Access and click Add Item. The Variable Assign: Citrix Smart Access properties screen opens.
  3. Type the name of a Citrix SmartAccess filter in the open row under Assignment. A filter can be any string. Filters are not hardcoded, but must match filters that are configured in the XenApp server for application access control or a user policy.
    Note: In the XenApp server, you must specify APM as the Access Gateway farm when you configure filters.
  4. To add another filter, click Add entry and type the name of a Citrix filter in the open row under Assignment.
  5. When you are done adding filters, click Save to return to the Access Policy.
You now need to save the access policy and assign it to a virtual server.

Example access policy with Citrix SmartAccess filters

Here is a typical example access policy that uses Citrix SmartAccess filters to restrict access to published applications based on the result of client inspection. Client inspection can be as simple as IP Geolocation Match or Antivirus. The figure shows an access policy being configured with a Citrix Smart Access action to set a filter to antivirus after an antivirus check is successful.

Variable Assign:Citrix Smart Access is set to antivirus in this example. Example access policy with Citrix SmartAccess action and an antivirus check

Adding a connectivity profile

Create a connectivity profile to configure client connections for Citrix remote access.
Note: A Citrix client bundle provides an installable Citrix Receiver client. The default parent connectivity profile includes a default Citrix client bundle.
  1. On the Main tab, click Access Policy > Secure Connectivity. A list of connectivity profiles displays.
  2. Click Add. The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a Profile Name for the connectivity profile.
  4. From the Parent Profile list, select the default profile, connectivity.
  5. To use a Citrix bundle that you have configured, select Citrix Client Settings from the left pane and select the bundle from the Citrix Client Bundle list in the right pane. The default Citrix client bundle is included if you do not perform this step.
  6. Click OK. The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile appears in the Connectivity Profile List.

Adding Citrix Receiver for HTML5 to a connectivity profile

Download the Citrix Receiver for HTML5 from the Citrix website.
You add Citrix Receiver for HTML5 to a Citrix bundle and add the bundle to a connectivity profile so that APM can deliver Citrix Receiver for HTML5 to clients.
  1. From the command line, type msiexec /a filepath to MSI file /qb TARGETDIR=filepath to target folder.
  2. On the Main tab, click Access Policy > Application Access > Remote Desktops > Citrix Client Bundles.
    1. In the Name field, type a name that includes html5.
    2. From the Source list, select Windows Package File.
    3. Click Choose File and upload the file ./Citrix/HTML5 Management/HTML5Client.zip.
  3. On the Main tab, click Access Policy > Secure Connectivity.
    1. Click the Connectivity Profile List tab.
    2. Select the connectivity profile you want to update.
    3. Click Edit Profile. A popup screen opens.
    4. Click Citrix Client Settings.
    5. From the Citrix Client Bundle list, select the bundle with html5 in its name.
The Citrix Receiver for HTML5 is included in a bundle with a particular connectivity profile.
For a connectivity profile to go into effect, you must add it to a virtual server.

Creating a virtual server to support Citrix web and mobile clients

This virtual server supports Citrix traffic and responds to web and mobile client requests.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. For the SSL Profile (Client) setting, from the Available list, select an SSL profile with an SSL certificate that the clients trust, and use the Move button to move the name to the Selected list.
  8. If access to XML Brokers requires SSL, then for the SSL Profile (Server) setting, select an SSL profile.
  9. From the Source Address Translation list, select Auto Map.
  10. In the Access Policy area, from the Access Profile list, select the access profile.
  11. In the Access Policy area, from the Connectivity Profile list, select the connectivity profile.
  12. Select the VDI & Java Support check box.
  13. Click Finished.
The access policy is now associated with the virtual server.