Manual Chapter : Integrating APM with a Citrix Web Interface Site

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.0.0
Manual Chapter

Integrating APM with a Citrix Web Interface Site

Overview: Integrating APM with Citrix Web Interface sites

In this implementation, Access Policy Manager® performs authentication while integrating with a Citrix Web Interface site. The Web Interface site communicates with the XenApp server, renders the user interface, and displays the applications to the client.

Traffic flow in an APM and Citrix web interface configuration

APM Citrix Web Interface integration with SmartAccess support

The preceding figure shows a configuration with one virtual server that communicates with clients and the Web Interface site.

  1. A user (client browser or Citrix Receiver) requests access to applications or features.
  2. The external virtual server starts an access policy that performs authentication and sets SmartAccess filters.
  3. The external virtual server sends the authenticated request and filters to the Citrix Web Interface site. The Citrix Web Interface site, in turn, forwards the information to the XML broker (XenApp server).
  4. The XML Broker returns a list of allowed applications to the Citrix Web Interface site.
  5. The Citrix Web Interface site renders and displays the UI to the user.

In cases where the Web Interface site cannot communicate with an external virtual server, you must configure an additional, internal, virtual server to manage requests from the Citrix Web Interface as part of Smart Access and SSO. You need an internal virtual server, for example, when the Web Interface site is behind a firewall, uses HTTP in the Authentication URL, or uses a different SSL CA certificate for establishing trust with APM than the one used by client devices.

Traffic flow in APM and Citris web interface integration

Internal virtual server for requests from Web Interface site

Supported clients

This implementation supports web clients and Citrix Receiver (iOS, Android, Mac, Windows, and Linux) clients.

Supported authentication

For Citrix Receiver Windows and Linux clients: only Active Directory authentication is supported.

For Citrix Receiver clients for iOS, Android, and Mac: Active Directory, or both RSA and Active Directory authentication is supported.

For web clients, you are not restricted in the type of authentication you use.

About the iApp for Citrix integration with APM

An iApps® template is available for configuring Access Policy Manager® and Local Traffic Manager™ to integrate with Citrix applications. The template can be used on the BIG-IP® system to create an application service that is capable of performing complex configurations. You can download the template from the F5® DevCentral™ iApp Codeshare wiki at https://devcentral.f5.com/wiki/iApp.Citrix-Applications.ashx. A deployment guide is also available there.

Task summary for APM integration with Citrix Web Interface sites

Ensure that you configure the Citrix components in the Citrix environment, in addition to configuring the BIG-IP® system to integrate with Citrix Web Interface sites.

Perform these tasks on the BIG-IP system to integrate Access Policy Manager® with a Citrix Web Interface site.

Task list

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select one of these options.
    • LTM-APM: Select for a web access management configuration.
    • SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL: Select to support LTM-APM and SSL-VPN access types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Creating an access policy for Citrix SSO

Before you can create an access policy for Citrix single sign-on (SSO), you must configure the appropriate AAA servers to use for authentication.
Note: An Active Directory AAA server must include the IP address of the domain controller and the FQDN of the Windows domain name. If anonymous binding to Active Directory is not allowed in your environment, you must provide the admin name and password for the Active Directory AAA server.
You configure an access policy to authenticate a user and enable single sign-on (SSO) to Citrix published resources.
Note: APM® supports different types of authentication depending on the client type. This access policy includes steps for both RSA SecurID and AD Auth authentication (supported for Citrix Receiver for iOS, Mac, and Android) or AD Auth only (supported for Citrix Receiver for Windows and Linux). Use the type of authentication for the client that you need to support.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the popup screen, on the Logon tab, specify an access policy as appropriate:
    • Logon Page: Select this if you allow one-factor password authentication with a single logon prompt containing one password field.
    • Citrix Logon Prompt: Select this if you allow two-factor password authentication with a single logon prompt containing two password fields.
  5. Click Add Item.
    A properties screen displays.
  6. To configure the Logon Page properties, specify the authentication required:
    • To support Active Directory authentication only, click Save.
    • To support both Active Directory and RSA SecurID authentication, configure the Logon Page to accept an RSA token and an AD password, and then click Save.
    In this example, Logon Page Input Field #2 accepts the RSA Token code into the session.logon.last.password variable (from which authentication agents read it). Logging Page Input Field #3 saves the AD password into the session.logon.last.password1 variable. Logon Page properties screen
    The properties screen closes.
  7. To configure the Citrix Logon Prompt properties, specify the type of authentication needed:
    • To support two-factor authentication, click Save.
    • To support domain-only authentication, from the Citrix Authentication Type list, select domain-only and then click Save.
  8. Optional: To add RSA SecurID authentication, click the plus (+) icon between Logon Page and Deny:
    1. From the Authentication tab, select RSA SecurID, and click Add Item.
    2. In the properties screen from the Server list, select the AAA server that you created previously and click Save.
      The properties screen closes.
    3. After the RSA SecurID action, add a Variable Assign action.
      Use the Variable Assign action to move the AD password into the session.logon.last.password variable.
    4. Click Add new entry.
      An empty entry appears in the Assignment table.
    5. Click the change link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    6. From the left-side list, select Custom Variable (the default), and type session.logon.last.password.
    7. From the right-side list, select Custom Expression (the default), and type expr { "[mcget -secure session.logon.last.password1]" }.
      Variable Assign add entry screenshot
      The AD password is now available for use in Active Directory authentication.
    8. Click Finished to save the variable and expression, and return to the Variable Assign action screen.
  9. Add the AD Auth action after one of these actions:
    • Variable Assign - This action is present only if you added RSA SecurID authentication.
    • Logon Page - Add here if you did not add RSA SecurID authentication.
    A properties screen for the AD Auth action opens.
  10. Configure the properties for the AD Auth action:
    1. From the AAA Server list, select the AAA server that you created previously.
    2. To support Citrix Receiver clients, you must set Max Logon Attempts to 1.
    3. Configure the rest of the properties as applicable to your configuration and click Save.
  11. Click the Add Item (+) icon between AD Auth and Deny.
    1. From the Assignment tab, select SSO Credential Mapping, and click Add Item.
    2. Click Save.
    The SSO Credential Mapping makes the information from the session.logon.last.password variable available (for Citrix SSO).
  12. Add a Variable Assign action after the SSO Credential Mapping action.
    Use the Variable Assign action to pass the domain name for the Citrix Web Interface site so that a user is not repeatedly queried for it.
    1. Click Add new entry.
      An empty entry appears in the Assignment table.
    2. Click the change link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    3. From the left-side list, select Custom Variable (the default), and type session.logon.last.domain.
    4. From the right-side list, select Custom Expression (the default), and type an expression expr {"DEMO.LON"}, to assign the domain name for the Citrix Web Interface site (where DEMO.LON is the domain name of the Citrix Web Interface site).
      Custom Variable session.logon.last.domain = Custom Expression expr{"DEMO.LON"}
    5. Click Finished to save the variable and expression, and return to the Variable Assign action screen.
  13. On the fallback path between the last action and Deny, click Deny, and then click Allow and Save.
  14. Click Close.

You should have an access policy that resembles one of these examples:

Example policy with an AD Auth action

Example access policy with AD authentication, credential mapping, and Web Interface site domain assignment

Example policy with RSA Auth and AD Auth actions

Configuring RSA SecurID authentication before AD authentication

Example policy with Citrix Logon Prompt action

Example access policy with Citrix Logon Prompt

To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding Citrix Smart Access actions to an access policy

To perform this task, first select the access profile you created previously, and open the associated access policy for edit.
You can set one or more filters per Citrix Smart Access action. If you include multiple Citrix Smart Access actions in an access policy, Access Policy Manager accumulates the SmartAccess filters that are set throughout the access policy operation.
  1. Click the( +) icon anywhere in your access profile to which you want to add the Citrix Smart Access action item.
    The Add Item screen opens.
  2. From General Purpose, select Citrix Smart Access and click Add Item.
    The Variable Assign: Citrix Smart Access properties screen opens.
  3. Type the name of a Citrix SmartAccess filter in the open row under Assignment.
    A filter can be any string. Filters are not hardcoded, but must match filters that are configured in the XenApp™ server for application access control or a user policy.
    Note: In the XenApp server, you must specify APM as the Access Gateway farm when you configure filters.
  4. To add another filter, click Add entry and type the name of a Citrix filter in the open row under Assignment.
  5. When you are done adding filters, click Save to return to the Access Policy.
  6. Click the Apply Access Policy link to apply and activate the changes to the access policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Example access policy with Citrix SmartAccess filters

Here is a typical example access policy that uses Citrix SmartAccess filters to restrict access to published applications based on the result of client inspection. Client inspection can be as simple as IP Geolocation Match or Antivirus. The figure shows an access policy being configured with a Citrix Smart Access action to set a filter to antivirus after an antivirus check is successful.

Variable Assign:Citrix Smart Access is set to antivirus in this example.

Example access policy with Citrix SmartAccess action and an antivirus check

Creating a pool of Citrix Web Interface servers

Create a pool of Citrix Web Interface servers for high availability.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, using the New Members setting, add each resource that you want to include in the pool:
    1. Type an IP address in the Address field, or select Node List and select an address from the list of available addresses.
    2. If access to the Web Interface site is through SSL, in the Service Port field type 443; otherwise, type 80.
    3. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Adding a connectivity profile

Create a connectivity profile to configure client connections for Citrix remote access.
Note: A Citrix client bundle provides an installable Citrix Receiver client. The default parent connectivity profile includes a default Citrix client bundle.
  1. On the Main tab, click Access Policy > Secure Connectivity .
    A list of connectivity profiles displays.
  2. Click Add.
    The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a Profile Name for the connectivity profile.
  4. From the Parent Profile list, select the default profile, connectivity.
  5. To use a Citrix bundle that you have configured, select Citrix Client Settings from the left pane and select the bundle from the Citrix Client Bundle list in the right pane.
    The default Citrix client bundle is included if you do not perform this step.
  6. Click OK.
    The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile appears in the Connectivity Profile List.

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IP® system to manage HTTP traffic.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .
    The HTTP profile list screen opens.
  2. Click Create.
    The New HTTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select http.
  5. Select the Custom check box.
  6. From the Redirect Rewrite list, select All.
  7. Click Finished.
The custom HTTP profile now appears in the HTTP profile list screen.

Configuring the external virtual server

Create a virtual server to support Citrix traffic and respond to client requests.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1/32 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64.
    Note: If you plan to configure only one virtual server to integrate with Citrix Web Interface sites, then the authentication URL of the Web Interface site must match the IP address of this virtual server.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. Optional: For the SSL Profile (Client) setting, select an SSL profile with an SSL certificate that is trusted by clients.
  8. If you use SSL to access the Web Interface site, add an SSL profile to the SSL Profile (Server) field.
  9. From the HTTP Profile list, select the custom http profile that you created previously.
    The HTTP profile must have Redirect Rewrite set to All.
  10. From the Source Address Translation list, select Auto Map.
  11. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  12. In the Access Policy area, from the Connectivity Profile list, select the connectivity profile.
  13. From the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  14. In the Resources area, from the Default Pool list, select the name of the pool that you created previously.
  15. Click Finished.
The access policy is now associated with the virtual server.

Creating a data group to support a nonstandard Citrix service site

By default, APM recognizes /Citrix/PNAgent/config.xml as the default URL that Citrix Receiver clients request. If your Citrix Receiver clients use a value that is different from /Citrix/PNAgent/config.xml, you must configure a data group so that APM® can recognize it.
  1. On the Main tab, click Local Traffic > iRules > Data Group List .
    The Data Group List screen opens, displaying a list of data groups on the system.
  2. Click Create.
    The New Data Group screen opens.
  3. In the Name field, type APM_Citrix_ConfigXML.
    Type the name exactly as shown.
  4. From the Type list, select String.
  5. In the Records area, create a string record.
    1. In the String field, type the FQDN of the external virtual server (using lowercase characters only).
      For example, type apps.mycompany.com.
    2. In the Value field, type the value that you use instead of Citrix/PNAgent/config.xml. For example, type /Connect/config.xml.
    3. Click Add.
  6. Click Finished.
    The new data group appears in the list of data groups.

Configuring an internal virtual server

Before configuring an internal virtual server, you need to configure an access profile with default settings.
Configure an internal virtual server to handle requests from the Citrix Web Interface site when it is behind a firewall, using HTTP, or otherwise unable to communicate with an external virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. For the Service Port setting, select HTTP or HTTPS.
    The protocol you select must match the protocol you used to configure the authentication service URL on the Web Interface site.
  6. If you are encrypting traffic between the APM and the Citrix Web Interface, for the SSL Profile (Client) setting, select an SSL profile that has an SSL certificate trusted by the Citrix Web Interface.
  7. From the HTTP Profile list, select http.
  8. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  9. In the Access Policy area, from the Connectivity Profile list, select the connectivity profile.
  10. From the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  11. Click Finished.
The access policy is now associated with the virtual server.