Applies To:
Show VersionsBIG-IP APM
- 11.5.1
About Access Policy Manager and Citrix integration types
When integrated with Citrix, Access Policy Manager (APM) performs authentication (and, optionally uses SmartAccess filters) to control access to Citrix published applications. APM supports these types of integration with Citrix:
- Integration with Web Interface sites
- In this deployment, APM load-balances and authenticates access to Web Interface sites, providing SmartAccess conditions based on endpoint inspection of clients. Web Interface sites communicate with XML Brokers, render the user interface, and display the applications to the client.
- Integration with XML Brokers
- In this deployment, APM does not need a Web Interface site. APM load-balances and authenticates access to XML Brokers, providing SmartAccess conditions based on endpoint inspection of clients. APM communicates with XML Brokers, renders the user interface, and displays the applications to the client.
About Citrix required settings
To integrate Access Policy Manager with Citrix, you must meet specific configuration requirements for Citrix as described here.
- Trust XML Requests
- To support communication with APM, make sure that the Trust XML requests option is enabled in the XenApp AppCenter management console.
- Web Interface site authentication settings
- If you want to integrate APM with a Citrix Web Interface site, make sure that the Web
Interface site is configured with these settings:
- Authentication point set to At Access Gateway.
- Authentication method set to Explicit.
- Authentication service URL points to a virtual server on the BIG-IP system; the URL must be one of these:
- http://address of the virtual server/CitrixAuth
-
https://address of the virtual
server/CitrixAuth (if traffic is encrypted between APM and
the Citrix Web Interface site).
The address can be the IP address or the FQDN. If you use HTTPS, make sure to use the FQDN that you use in the SSL certificate on the BIG-IP system.
- Application access control (SmartAccess)
- If you want to control application access with SmartAccess filters through Access Policy
Manager, make sure that the settings in the XenApp AppCenter management console for each
of the applications you want to control, match these:
Citrix setting Value Allow connections made through Access Gateway enabled Access Gateway Farm APM Access Gateway Filter The value must match the literal string that Access Policy Manager sets during access policy operation (through the Citrix SmartAccess action item) Note: The navigation path for application access control is AppCenter > Citrix Resources > XenApp > farm_name > Applications > application_name > Application Properties > Advanced Access Control. - User access policies (SmartAccess)
- You can control access to certain features, such as Client Drive or Printer Mapping, so
that they are permitted only when a certain SmartAccess string is sent to XenApp server.
If you want to control access to such features with SmartAccess filters through Access
Policy Manager, you need to create a Citrix User Policy with Access Control Filter in the
XenApp AppCenter management console for each feature that you want to control. Make sure
that the Access Control Filter settings of the Citrix User Policy match these:
Citrix setting Value Connection Type With Access Gateway Access Gateway Farm APM Access Gateway Filter The value must match the literal string that Access Policy Manager sets during access policy execution (through the Citrix SmartAccess action item) Note: The navigation path for user access policies is AppCenter > Citrix Resources > XenApp > farm_name > Policies > Users > Citrix User Policies > new_policy_name. Choose the feature from Categories and, if creating a new filter, select New Filter Element from Access Control.
About Citrix Receiver requirements for Mac, iOS, and Android clients
To support Citrix Receivers for Mac, iOS, and Android, you must meet specific configuration requirements for the Citrix Receiver client.
- Address field for standard Citrix service site (/Citrix/PNAgent/)
- https://<APM-external-virtual-server-FQDN>
- Address field for custom Citrix service site
- https://<APM-external-virtual-server-FQDN/custom_site/config.xml, where custom_site is the name of the custom service site
- Access Gateway
- Select the Access Gateway check box and select Enterprise Edition.
- Authentication
- Choose either: Domain-only or RSA+Domain authentication
About Citrix Receiver requirements for Windows and Linux clients
To support Citrix Receiver for Windows and Linux clients, you must meet specific configuration requirements for the Citrix Receiver client, as described here.
- Address field for standard Citrix service site (/Citrix/PNAgent/)
- https://<APM-external-virtual-server-FQDN>
- Address field for custom Citrix service site
- https://<APM-external-virtual-server-FQDN/custom_site/config.xml, where custom_site is the name of the custom service site.
About Citrix requirements for SmartCard support
Access Policy Manager supports auto logon for XenApp and XenDesktop clients that connect through an APM dynamic webtop. APM supports auto logon using these methods:
- Password-based APM takes the user password from a Citrix remote desktop resource, and performs single sign-on (SSO) into XenApp or XenDesktop.
- Kerberos Citrix supports APM takes the user name and domain from an SSO configuration, and uses them to obtain a Kerberos ticket and perform SSO into XenApp.
- SmartCard (two-PIN prompt) A logon page that you configure requests the SmartCard PIN, APM takes the user name from a Citrix remote desktop resource and peforms SSO into XenApp or XenDesktop. When the user launches the Citrix application, the Windows login prompt displays an option to enter the SmartCard PIN. Thus, the user enters the PIN twice: once when logging in to APM and once on the Windows login screen when launching an application.
To use Kerberos or SmartCard auto logon options from APM, you must meet specific configuration requirements for Citrix as described here:
- Kerberos: Configure Kerberos Delegation in Active Directory as described in Citrix knowledge article CTX124603.
- SmartCard: Enable SID Enumeration on XenApp and XenDesktop as described in these Citrix knowledge articles: CTX117489 and CTX129968.
About Citrix product terminology
- XenApp server
- Refers to the XML Broker in the farm where Citrix SmartAccess filters are configured and from which applications and features are delivered.
- XenApp AppCenter
- Refers to the management console for a XenApp farm.