Manual Chapter :
Citrix Requirements for Integration with APM
Applies To:
Show Versions
BIG-IP APM
- 17.0.0, 16.1.0, 16.0.1, 16.0.0, 15.1.0
Citrix Requirements for Integration with APM
About Access Policy Manager and Citrix integration types
When integrated with Citrix, Access Policy Manager
®
(APM™) performs
authentication (and, optionally uses SmartAccess filters) to control access to Citrix
published applications. APM supports these types of integration with Citrix:Integration with Web Interface sites
In this deployment, APM load-balances and authenticates access to Web Interface
sites, providing SmartAccess conditions based on endpoint inspection of clients. Web
Interface sites communicate with XML Brokers, render the user interface, and display
the applications to the client.
Integration with XML Brokers
In this deployment, APM does not need a Web Interface site. APM load-balances and
authenticates access to XML Brokers, providing SmartAccess conditions based on
endpoint inspection of clients. APM communicates with XML Brokers, renders the user
interface, and displays the applications to the client.
About Citrix required settings
To integrate Access Policy Manager
®
with Citrix, you must meet specific
configuration requirements for Citrix as described here.Trust XML Requests
To support communication with APM
®
, make sure that the Trust XML requests
option is enabled in the XenApp AppCenter management console.Web Interface site authentication settings
If you want to integrate APM with a Citrix Web Interface site, make sure that the Web
Interface site is configured with these settings:
- Authentication point set to At Access Gateway.
- Authentication method set to Explicit.
- Authentication service URL points to a virtual server on the BIG-IP®system; the URL must be one of these:
- http://address of the virtual server/CitrixAuth
- https://address of the virtual server/CitrixAuth (if traffic is encrypted between APM and the Citrix Web Interface site).The address can be the IP address or the FQDN. If you use HTTPS, make sure to use the FQDN that you use in the SSL certificate on the BIG-IP system.
Application access control (SmartAccess)
If you want to control application access with SmartAccess filters through Access
Policy Manager, make sure that the settings in the XenApp AppCenter management
console for each of the applications you want to control, match these:
Citrix setting |
Value |
Allow connections made through Access Gateway |
enabled |
Access Gateway Farm |
APM |
Access Gateway Filter |
The value must match the literal string that Access Policy
Manager sets during access policy operation (through the Citrix
SmartAccess action item) |
The navigation path for application access
control is AppCenter > Citrix Resources > XenApp > farm_name > Applications >
application_name > Application Properties > Advanced Access Control.
User access policies (SmartAccess)
You can control access to certain features, such as Client Drive or Printer Mapping,
so that they are permitted only when a certain SmartAccess string is sent to XenApp
server. If you want to control access to such features with SmartAccess filters
through Access Policy Manager, you need to create a Citrix User Policy with Access
Control Filter in the XenApp AppCenter management console for each feature that you
want to control. Make sure that the Access Control Filter settings of the Citrix
User Policy match these:
Citrix setting |
Value |
Connection Type |
With Access Gateway |
Access Gateway Farm |
APM |
Access Gateway Filter |
The value must match the literal string that Access Policy
Manager sets during access policy execution (through the Citrix
SmartAccess action item) |
The navigation path for user access policies is
AppCenter > Citrix Resources > XenApp > farm_name > Policies > Users > Citrix
User Policies > new_policy_name . Choose the feature from Categories and, if
creating a new filter, select New Filter Element from Access Control.
About Citrix Receiver requirements for Mac, iOS, and Android clients
To support Citrix Receivers for Mac, iOS, and Android, you must meet specific
configuration requirements for the Citrix Receiver client.
- Address field for standard Citrix service site (/Citrix/PNAgent/)
- https://<APM-external-virtual-server-FQDN>
- Address field for custom Citrix service site
- https://<APM-external-virtual-server-FQDN/custom_site/config.xml, where custom_site is the name of the custom service site
- Access Gateway
- Select the Access Gateway check box and select Enterprise Edition.
- Authentication
- Choose either: Domain-only or RSA+Domain authentication
About Citrix Receiver requirements for Windows and Linux clients
To support Citrix Receiver for Windows and Linux clients, you must meet specific
configuration requirements for the Citrix Receiver client, as described here.
- Address field for standard Citrix service site (/Citrix/PNAgent/)
- https://<APM-external-virtual-server-FQDN>
- Address field for custom Citrix service site
- https://<APM-external-virtual-server-FQDN/custom_site/config.xml, where custom_site is the name of the custom service site.
About Citrix requirements for Kerberos and SmartCard SSO
Access Policy Manager
®
(APM®
) supports single sign-on (SSO) for
XenApp and XenDesktop clients that connect through an APM dynamic webtop. SSO for XenApp
is supported with the Kerberos SSO method. SSO for XenDesktop is supported with either
the Kerberos SSO or the SmartCard method.To use the SSO options that APM supports, you must meet specific configuration
requirements for Citrix as described here:
- Kerberos: Configure Kerberos Delegation in Active Directory as described in Citrix knowledge articleCTX124603.
- SmartCard: Enable SID Enumeration on XenApp and XenDesktop as described in these Citrix knowledge articles:CTX117489andCTX129968.
About Citrix product terminology
- XenApp server
- Refers to the XML Broker in the farm where Citrix SmartAccess filters are configured and from which applications and features are delivered.
- XenApp AppCenter
- Refers to the management console for a XenApp farm.
The names of the Citrix products and components that
provide similar services might be different in your configuration. Refer to
AskF5™ (support.f5.com) to identify the supported version of Citrix in the
compatibility matrix for the Access Policy Manager
®
version that you
have. Then refer to version-specific Citrix product documentation for Citrix
product names and features.About Wyse Xenith Zero client character set settings
On Citrix XenApp or Storefront servers, administrators can provide application names
using various languages, some of which use non-ASCII character sets. When using a
supported Wyse Zenith Zero client with F5
®
BIG-IP®
APM®
Secure Proxy, if an application name was specified using a non-ASCII character set, it
can display as ????. If this occurs, it indicates a mismatch between that character set
and the character set configured for the keyboard in the peripheral settings on the
client.To view an application name in its correct format, the character set configured for the
keyboard on the client must match the language in which the name is specified on the
server.
For example, for an application name that is specified in Arabic on the server,
peripheral settings for the keyboard on the client must specify character set cp1256.
Similarly, for an application name in Cyrillic on the server, the character set
specified on the client must be cp1251. Refer to product documentation for the Wyse
Xenith Zero client for definitive information.
About Citrix StoreFront proxy support
On Citrix XenApp or Storefront servers, administrators can use StoreFront proxy with
native protocol. APM administrators can use either Secure Ticket Authority (STA) tickets
or ICA patching, but need to configure both APM and StoreFront.
In STA ticket mode, the admin must meet the following requirements:
- APM acts as a gateway, and the admin uses it to enable remote access to the StoreFront store clients the admin connects to
- The STA server address is required on both APM and StoreFront
In ICA patching mode, the admin must ensure that APM does not act as a gateway in
StoreFront. Besides that, ICA patching mode clients can access all StoreFront stores.
Configuring APM as a gateway can break the client authentication.
