Manual Chapter : Citrix Requirements for Integration with APM

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

About Access Policy Manager and Citrix integration types

When integrated with Citrix, Access Policy Manager (APM) performs authentication (and, optionally uses SmartAccess filters) to control access to Citrix published applications. APM supports these types of integration with Citrix:

Integration with Web Interface sites
In this deployment, APM load-balances and authenticates access to Web Interface sites, providing SmartAccess conditions based on endpoint inspection of clients. Web Interface sites communicate with XML Brokers, render the user interface, and display the applications to the client.
Integration with XML Brokers
In this deployment, APM does not need a Web Interface site. APM load-balances and authenticates access to XML Brokers, providing SmartAccess conditions based on endpoint inspection of clients. APM communicates with XML Brokers, renders the user interface, and displays the applications to the client.

About Citrix required settings

To integrate Access Policy Manager with Citrix, you must meet specific configuration requirements for Citrix as described here.

Trust XML Requests
To support communication with APM, make sure that the Trust XML requests option is enabled in the XenApp AppCenter management console.
Web Interface site authentication settings
If you want to integrate APM with a Citrix Web Interface site, make sure that the Web Interface site is configured with these settings:
  • Authentication point set to At Access Gateway.
  • Authentication method set to Explicit.
  • Authentication service URL points to a virtual server on the BIG-IP system; the URL must be one of these:
    • http://address of the virtual server/CitrixAuth
    • https://address of the virtual server/CitrixAuth (if traffic is encrypted between APM and the Citrix Web Interface site).

      The address can be the IP address or the FQDN. If you use HTTPS, make sure to use the FQDN that you use in the SSL certificate on the BIG-IP system.

Application access control (SmartAccess)
If you want to control application access with SmartAccess filters through Access Policy Manager, make sure that the settings in the XenApp AppCenter management console for each of the applications you want to control, match these:
Citrix setting Value
Allow connections made through Access Gateway enabled
Access Gateway Farm APM
Access Gateway Filter The value must match the literal string that Access Policy Manager sets during access policy operation (through the Citrix SmartAccess action item)
Note: The navigation path for application access control is AppCenter > Citrix Resources > XenApp > farm_name > Applications > application_name > Application Properties > Advanced Access Control.
User access policies (SmartAccess)
You can control access to certain features, such as Client Drive or Printer Mapping, so that they are permitted only when a certain SmartAccess string is sent to XenApp server. If you want to control access to such features with SmartAccess filters through Access Policy Manager, you need to create a Citrix User Policy with Access Control Filter in the XenApp AppCenter management console for each feature that you want to control. Make sure that the Access Control Filter settings of the Citrix User Policy match these:
Citrix setting Value
Connection Type With Access Gateway
Access Gateway Farm APM
Access Gateway Filter The value must match the literal string that Access Policy Manager sets during access policy execution (through the Citrix SmartAccess action item)
Note: The navigation path for user access policies is AppCenter > Citrix Resources > XenApp > farm_name > Policies > Users > Citrix User Policies > new_policy_name. Choose the feature from Categories and, if creating a new filter, select New Filter Element from Access Control.

About Citrix Receiver requirements for Mac, iOS, and Android clients

To support Citrix Receivers for Mac, iOS, and Android, you must meet specific configuration requirements for the Citrix Receiver client.

Address field for standard Citrix service site (/Citrix/PNAgent/)
https://<APM-external-virtual-server-FQDN>
Address field for custom Citrix service site
https://<APM-external-virtual-server-FQDN/custom_site/config.xml, where custom_site is the name of the custom service site
Access Gateway
Select the Access Gateway check box and select Enterprise Edition.
Authentication
Choose either: Domain-only or RSA+Domain authentication

About Citrix Receiver requirements for Windows and Linux clients

To support Citrix Receiver for Windows and Linux clients, you must meet specific configuration requirements for the Citrix Receiver client, as described here.

Address field for standard Citrix service site (/Citrix/PNAgent/)
https://<APM-external-virtual-server-FQDN>
Address field for custom Citrix service site
https://<APM-external-virtual-server-FQDN/custom_site/config.xml, where custom_site is the name of the custom service site.

About Citrix requirements for SmartCard support

Access Policy Manager supports auto logon for XenApp and XenDesktop clients that connect through an APM dynamic webtop. APM supports auto logon using these methods:

  • Password-based APM takes the user password from a Citrix remote desktop resource, and performs single sign-on (SSO) into XenApp or XenDesktop.
  • Kerberos Citrix supports APM takes the user name and domain from an SSO configuration, and uses them to obtain a Kerberos ticket and perform SSO into XenApp.
  • SmartCard (two-PIN prompt) A logon page that you configure requests the SmartCard PIN, APM takes the user name from a Citrix remote desktop resource and peforms SSO into XenApp or XenDesktop. When the user launches the Citrix application, the Windows login prompt displays an option to enter the SmartCard PIN. Thus, the user enters the PIN twice: once when logging in to APM and once on the Windows login screen when launching an application.

To use Kerberos or SmartCard auto logon options from APM, you must meet specific configuration requirements for Citrix as described here:

  • Kerberos: Configure Kerberos Delegation in Active Directory as described in Citrix knowledge article CTX124603.
  • SmartCard: Enable SID Enumeration on XenApp and XenDesktop as described in these Citrix knowledge articles: CTX117489 and CTX129968.
Note: Requirements specified in the knowledge articles are applicable.

About Citrix product terminology

XenApp server
Refers to the XML Broker in the farm where Citrix SmartAccess filters are configured and from which applications and features are delivered.
XenApp AppCenter
Refers to the management console for a XenApp farm.
Note: The names of the Citrix products and components that provide similar services might be different in your configuration. Refer to AskF5 (support.f5.com) to identify the supported version of Citrix in the compatibility matrix for the Access Policy Manager version that you have. Then refer to version-specific Citrix product documentation for Citrix product names and features.

About Wyse Xenith Zero client character set settings

On Citrix XenApp or Storefront servers, administrators can provide application names using various languages, some of which use non-ASCII character sets. When using a supported Wyse Zenith Zero client with F5 BIG-IP APM Secure Proxy, if an application name was specified using a non-ASCII character set, it can display as ????. If this occurs, it indicates a mismatch between that character set and the character set configured for the keyboard in the peripheral settings on the client.

To view an application name in its correct format, the character set configured for the keyboard on the client must match the language in which the name is specified on the server.

For example, for an application name that is specified in Arabic on the server, peripheral settings for the keyboard on the client must specify character set cp1251. Similarly, for an application name in Cyrillic on the server, the character set specified on the client must be cp1256. Refer to product documentation for the Wyse Xenith Zero client for definitive information.

About Citrix StoreFront proxy support

On Citrix XenApp or Storefront servers, administrators can use StoreFront proxy with native protocol. APM administrators can use either Secure Ticket Authority (STA) tickets or ICA patching, but need to configure both APM and StoreFront.

In STA ticket mode, the admin must meet the following requirements:
  • APM acts as a gateway, and the admin uses it to enable remote access to the StoreFront store clients the admin connects to
  • The STA server address is required on both APM and StoreFront

In ICA patching mode, the admin must ensure that APM does not act as a gateway in StoreFront. Besides that, ICA patching mode clients can access all StoreFront stores. Configuring APM as a gateway can break the client authentication.