citrix storefront + smart access + apm
Does anyone have this working? I'm trying to get smart access policies to work with StoreFront 2.6 using the v2.2 of the citrix iApp...and every possible configuration I've tried does NOT work. I've followed the guide step by step. F5 support has not responded to me for weeks. I've verified this configuration works with Netscaler and the smart access also works from the same F5 device utilizing the webtop instead of storefront...I've also verified the variables are being set by's just not passing through to storefront...1.3KViews0likes9CommentsStorefront logout and re-authenticate with no prompt for credentials
Hi, We've integrated citrix storefront with F5 (11.6.2) recently by using iApp . Everything works great but we have an issue with the authentication to the storefront once user logs off from the citrix, Users are able to logon without prompting for username and password when clicked on logon. We are using Imprivata for Radius and its MFA. Any help would be much appreciated. FYI: no user sessions should be terminated after logout is enabled.332Views0likes0CommentsSupport for 2 different Citrix farms on one Virtual Server
Hi All, We are currently using a BIG-IP APM device to allow external access to our XenApp 6.0 farm with Web Interface. Basically, we are using the BIG-IP as a NetScaler replacement. We are in the process of trying to roll out a XenDesktop 7.8 implementation using Store Front. My problem comes with trying to support both environments using a single Virtual Server. Right now, we have an SSO form and a iRule in place for the 6.0/Web Interface farm. The SSO Configuration is applied to the Access Policy and the iRule is applied to the Virtual Server. This is problematic, since I can't think of a way to provide support for both environments at the same time. I can either support one or the other by changing the SSO Configuration and the iRule, but applying the set for the 6.0 Farm breaks the 7.8 farm and vice-versa. What I am trying to determine is if there is any other way to apply the SSO Configuration and the iRule based on a user's role, rather than at the VS and Access Policy level. In my access policy I do a AD group membership check for a group called "XEN 7 Users". If my user is in that group, I can then assign them some SSO credentials and the StoreFront Pool. If they are not in the "XEN 7 Users" group, they get assigned SSO credentials and the Web Interface pool. However, if they are in the "XEN 7 Users" group, but the SSO config and IRule for the Web Interface are in place they can't access the Store Front servers. Is there some way I could assign SSO configurations and iRules based on the user's role, rather than to the Access Policy and Virtual Server? I am looking to get a little more granular. Thanks, I hope this was clear. -John310Views0likes1CommentCitrix APM 11.5.1 HF8 Citrix Client download Bundle not working
I experience something weird while implementing APM with Citrix Storefront is that when I try to Access the F5 APM published page and the client does not contain the Citrix Receiver client the APM should redirect the client to the location where to download the client. Everything else is working correctly. This is Spanish for not having received any data (Empty response) First we tried to change the Citrix Client Bundle to the internal installation package and it shows the before mentioned error. When trying to change it to an external link it does not change the download location, in other words the problem persists. One thing I dont have clear is how exactly is this object linked to the APM Access policy or webtop? Something similar is explained in this article XenApp iApp APM with Storefront - Cross Access Profile SSO
We've deployed the XenApp iApp in the configuration using APM to send traffic to Storefront. When deploying the iApp, I allowed it to create the APM access profile. I have since noticed that SSO between our Webtop AP and our Citrix AP doesn't appear to be working. The Access Profile SSO Domain Cookie has the same value across both Access Profiles (ex., but when clicking the Storefront link (Webtop Link - Application URI ex. from the webtop, you are redirected to the F5 login page for the Storefront Access Profile. Has anyone else seen this behavior? Any ideas how to get SSO from the webtop into the Storefront AP working? I've also noticed that if I log into Storefront first, and open a new browser tab to the webtop, I immediately get a Connection Reset message.349Views0likes5CommentsAPM Citrix tidy session termination
Hi, I have used the f5.citrix_xenapp_xendesktop.2012_06_27 iApp to migrate remote access to our Citrix Xenapp and Xendesktop environment through F5's running APM and 11.3 HF6. We have kept the Citrix Web Interface in place as the business had already invested in the Storefront upgrade (I initally was connecting to web interface but the Storefront upgrade has now been rolled out). I am confused about how the iApp achieves a tidy close down of a remote session. Obviously there is an iRule that looks for a URI to be passed back from the web interface \ Storefront that contains "loggedout". I am fine with the mechanics of how this works but what I am confused about is that this doesnt seem the most intuitive way of doing things. Also Storefront does not redirect to a URI that contains "loggedout" it just dynamically changes the web page to say "logged out" in the body of the page. The reason i think this is not intuitive is that we had a 20 minute timeout on our Web Interface - ie. you get redirected to the "loggedout" URI after 20 if you had a remote desktop session running but idle you get thrown off after 20 minutes. Our citrix session idle timeout is 3 ok fine change the timeout on Web Interface to be 3 hours.....but isnt this a bit of a security risk?....somebody could be working on a public machine and close down their remote session but forget to logoff from Web Interface. The imperfect workaround I have in place at the moment is to reduce the inactivity timeout under the access policy to 60 seconds. This gives users enough time to select a remote session upon logon, the timeout gets constantly reset during their session, it also gives them enough time to logoff from a session and select another one and also is sufficently low so that it doesnt matter whether they click logoff from Web-UI \ Storefront or close the browser...after 60 seconds the session is dead. The downside of this is that test users have noticed that they can click logoff but then immediately re-target the URL and get straight back in without authenticating which obviously isnt great. I am happy to hear if I am missing the point or something obvious it just seems that the iRule to check for a URI that contains "loggedout" will not work for us. Also, as mentioned, I do not think this will work at all with Storefront. Any advice greatly appreciated!691Views0likes15CommentsiOS Receiver w/APM & StoreFront 1.2
Hi, I'm having some issues using APM as a replacement for Citrix Access Gateway. I have followed the VDI 1.1.0RC2 deployment guide, and have a config that works in Safari, but not using native Receiver. We're using two factor, domain and token (non-RSA). I've manually created a Receiver profile using https:///Citrix//PNAgent/config.xml, which matches the Legacy Support URL in StoreFront. Other settings are Access Gateway, Enterprise Edition, Security Token = on, Domain + Security Token. I get an error 'Could not Log On. The address given did not provide a valid App list...'. I did a packet capture and I can see an initial GET to the full URL (/Citrix//PNAgent/config.xml) along with a 200 back but subsequent GETs use the default (/Citrix/PNAgent/config.xml), these will be 302d back to the correct URL, but are always followed by a POST to /Citrix/PNAgent/enum.aspx, which 404s. I'm not sure if I am missing something to rewrite the contents of the config.xml file, or to manually specify it somewhere (or if my Receiver config is even correct!). I have created an iRule Data Group as the doc indicates, using APM_Citrix_ConfigXML, with String = , Value = /Citrix//PNAgent/config/xml. This doesn't seem to influence the behaviour in any way. Note: the doco says to use the Store WEB URL as the value, which seems wrong to me, the config.xml path makes more sense.. Anyway, any help or pointers would be greatly appreciated, version info below, thanks! Versions: iPad 2 6.1.3 Receiver 5.8.2 LTM/APM 11.4 HF3 Storefront Redirects and Storefront
Hi, I would like to redirect users back to my APM logon page when the APM inactivity timeout expires and the user subsequently clicks a link on the Storefront page (or better yet the redirect happens automatically). Seemed straightforward enough but HTTP redirects do not work. I can see the client receiving the redirect but it is not acted upon. I think this is to do with the fact that POSTs are used when you click a link on Storefront but maybe also that iframes are (maybe?) in use? But to be honest im not sure - its beyond this simple network engineers understanding of web coding! Could somebody shed some light on a solution please?254Views0likes3Comments