In this implementation, Access Policy Manager performs authentication while integrating with a Citrix Web Interface site. The Web Interface site communicates with the XenApp server, renders the user interface, and displays the applications to the client.
The preceding figure shows a configuration with one virtual server that communicates with clients and the Web Interface site.
In cases where the Web Interface site cannot communicate with an external virtual server, you must configure an additional, internal, virtual server to manage requests from the Citrix Web Interface as part of Smart Access and SSO. You need an internal virtual server, for example, when the Web Interface site is behind a firewall, uses HTTP in the Authentication URL, or uses a different SSL CA certificate for establishing trust with APM than the one used by client devices.
This implementation supports web clients and Citrix Receiver (iOS, Android, Mac, Windows, and Linux) clients.
For Citrix Receiver Windows and Linux clients: only Active Directory authentication is supported.
For Citrix Receiver clients for iOS, Android, and Mac: Active Directory, or both RSA and Active Directory authentication is supported.
For web clients, you are not restricted in the type of authentication you use.
Ensure that you configure the Citrix components in the Citrix environment, in addition to configuring the BIG-IP system to integrate with Citrix Web Interface sites.
Perform these tasks on the BIG-IP system to integrate Access Policy Manager with a Citrix Web Interface site.
You should have an access policy that resembles either of these examples:
Here is a typical example access policy that uses Citrix SmartAccess filters to restrict access to published applications based on the result of client inspection. Client inspection can be as simple as IP Geolocation Match or Antivirus. The figure shows an access policy being configured with a Citrix Smart Access action to set a filter to antivirus after an antivirus check is successful.