Applies To:
Show VersionsBIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
About Access Policy Manager and Citrix integration types
When integrated with Citrix, Access Policy Manager (APM) performs authentication (and, optionally uses SmartAccess filters) to control access to Citrix published applications. APM supports these types of integration with Citrix:
- Integration with Web Interface sites
- In this deployment, APM load-balances and authenticates access to Web Interface sites, providing SmartAccess conditions based on endpoint inspection of clients. Web Interface sites communicate with XML Brokers, render the user interface, and display the applications to the client.
- Integration with XML Brokers
- In this deployment, APM does not need a Web Interface site. APM load-balances and authenticates access to XML Brokers, providing SmartAccess conditions based on endpoint inspection of clients. APM communicates with XML Brokers, renders the user interface, and displays the applications to the client.
About Citrix required settings
To integrate Access Policy Manager with Citrix, you must meet specific configuration requirements for Citrix as described here.
- Trust XML Requests
- To support communication with APM, make sure that the Trust XML requests option is enabled in the XenApp AppCenter management console.
- Web Interface site authentication settings
- If you want to integrate APM with a Citrix Web Interface site, make sure that the Web Interface site is configured with these settings:
- Authentication point set to At Access Gateway.
- Authentication method set to Explicit.
- Authentication service URL points to a virtual server on the BIG-IP system; the URL must be one of these:
- http://address of the virtual server/CitrixAuth
- https://address of the virtual server/CitrixAuth (if traffic is encrypted between APM and the Citrix Web Interface site).
The address can be the IP address or the FQDN. If you use HTTPS, make sure to use the FQDN that you use in the SSL certificate on the BIG-IP system.
- Application access control (SmartAccess)
- If you want to control application access with SmartAccess filters through Access Policy Manager, make sure that the settings in the XenApp AppCenter management console for each of the applications you want to control, match these:
Citrix setting Value Allow connections made through Access Gateway enabled Access Gateway Farm APM Access Gateway Filter The value must match the literal string that Access Policy Manager sets during access policy operation (through the Citrix SmartAccess action item) Note: The navigation path for application access control is AppCenter > Citrix Resources > XenApp > farm_name > Applications > application_name > Application Properties > Advanced Access Control. - User access policies (SmartAccess)
- You can control access to certain features, such as Client Drive or Printer Mapping, so that they are permitted only when a certain SmartAccess string is sent to XenApp server. If you want to control access to such features with SmartAccess filters through Access Policy Manager, you need to create a Citrix User Policy with Access Control Filter in the XenApp AppCenter management console for each feature that you want to control. Make sure that the Access Control Filter settings of the Citrix User Policy match these:
Citrix setting Value Connection Type With Access Gateway Access Gateway Farm APM Access Gateway Filter The value must match the literal string that Access Policy Manager sets during access policy execution (through the Citrix SmartAccess action item) Note: The navigation path for user access policies is AppCenter > Citrix Resources > XenApp > farm_name > Policies > Users > Citrix User Policies > new_policy_name. Choose the feature from Categories and, if creating a new filter, select New Filter Element from Access Control.
About Citrix Receiver requirements for Mac, iOS, and Android clients
To support Citrix Receivers for Mac, iOS, and Android, you must meet specific configuration requirements for the Citrix Receiver client.
- Address field for standard Citrix service site (/Citrix/PNAgent/)
- https://<APM-external-virtual-server-FQDN>
- Address field for custom Citrix service site
- https://<APM-external-virtual-server-FQDN/custom_site/config.xml, where custom_site is the name of the custom service site
- Access Gateway
- Select the Access Gateway check box and select Enterprise Edition.
- Authentication
- Choose either: Domain-only or RSA+Domain authentication
About Citrix Receiver requirements for Windows and Linux clients
To support Citrix Receiver for Windows and Linux clients, you must meet specific configuration requirements for the Citrix Receiver client, as described here.
- Address field for standard Citrix service site (/Citrix/PNAgent/)
- https://<APM-external-virtual-server-FQDN>
- Address field for custom Citrix service site
- https://<APM-external-virtual-server-FQDN/custom_site/config.xml, where custom_site is the name of the custom service site.
About Citrix requirements for SmartCard support
Access Policy Manager supports auto logon for XenApp and XenDesktop clients that connect through an APM dynamic webtop. APM supports auto logon using these methods:
- Password-based APM takes the user password from a Citrix remote desktop resource, and performs single sign-on (SSO) into XenApp or XenDesktop.
- Kerberos Citrix supports APM takes the user name and domain from an SSO configuration, and uses them to obtain a Kerberos ticket and perform SSO into XenApp.
- SmartCard (two-PIN prompt) A logon page that you configure requests the SmartCard PIN, APM takes the user name from a Citrix remote desktop resource and peforms SSO into XenApp or XenDesktop. When the user launches the Citrix application, the Windows login prompt displays an option to enter the SmartCard PIN. Thus, the user enters the PIN twice: once when logging in to APM and once on the Windows login screen when launching an application.
To use Kerberos or SmartCard auto logon options from APM, you must meet specific configuration requirements for Citrix as described here:
- Kerberos: Configure Kerberos Delegation in Active Directory as described in Citrix knowledge article CTX124603.
- SmartCard: Enable SID Enumeration on XenApp and XenDesktop as described in these Citrix knowledge articles: CTX117489 and CTX129968.
About Citrix product terminology
- XenApp server
- Refers to the XML Broker in the farm where Citrix SmartAccess filters are configured and from which applications and features are delivered.
- XenApp AppCenter
- Refers to the management console for a XenApp farm.
About Wyse Xenith Zero client character set settings
On Citrix XenApp or Storefront servers, administrators can provide application names using various languages, some of which use non-ASCII character sets. When using a supported Wyse Zenith Zero client with F5 BIG-IP APM Secure Proxy, if an application name was specified using a non-ASCII character set, it can display as ????. If this occurs, it indicates a mismatch between that character set and the character set configured for the keyboard in the peripheral settings on the client.
To view an application name in its correct format, the character set configured for the keyboard on the client must match the language in which the name is specified on the server.
For example, for an application name that is specified in Arabic on the server, peripheral settings for the keyboard on the client must specify character set cp1251. Similarly, for an application name in Cyrillic on the server, the character set specified on the client must be cp1256. Refer to product documentation for the Wyse Xenith Zero client for definitive information.
About Citrix StoreFront proxy support
On Citrix XenApp or Storefront servers, administrators can use StoreFront proxy with native protocol. APM administrators can use either Secure Ticket Authority (STA) tickets or ICA patching, but need to configure both APM and StoreFront.
- APM acts as a gateway, and the admin uses it to enable remote access to the StoreFront store clients the admin connects to
- The STA server address is required on both APM and StoreFront
In ICA patching mode, the admin must ensure that APM does not act as a gateway in StoreFront. Besides that, ICA patching mode clients can access all StoreFront stores. Configuring APM as a gateway can break the client authentication.