ebook img

Deploying the BIG-IP LTM and APM v11 with Citrix XenApp or PDF

81 Pages·2016·2.89 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Deploying the BIG-IP LTM and APM v11 with Citrix XenApp or

F5 Deployment Guide Deploying F5 with Citrix XenApp or XenDesktop Welcome to the F5 deployment guide for Citrix® VDI applications, including XenApp® and XenDesktop® with the BIG-IP system v13.1 and later. This guide shows how to configure the BIG-IP Local Traffic Manager (LTM), Access Policy Manager (APM), and Advanced Firewall Manager (AFM) for delivering a complete remote access and intelligent traffic management solution that ensures application availability, improves performance and provides a flexible layer of security for Citrix VDI deployments. This document contains guidance on configuring the BIG-IP APM for two factor authentication with RSA SecurID, as well as supporting smart card authentication. This guide and associated iApp template replaces the previous guides and iApps for Citrix XenApp and LTM, Citrix XenDesktop and LTM, and both XenApp and XenDesktop with BIG-IP APM. Products and versions Product Versions BIG-IP LTM, APM, AFM 13.1 - 17.0 Because not all BIG-IP versions support all Citrix versions, we are removing version numbers from this guide, and instead refer to the APM Client Compatibility Matrix for your BIG-IP version. Citrix XenApp, Citrix XenDesktop, and Citrix StoreFront To access the matrix, go to https://support.f5.com/csp/tech-documents, from the Product list, select BIG-IP APM, choose your version, and clear all but the Manual checkbox. Click View Selected. In the search results, look for BIG-IP APM Client Compatibility Matrix to view the supported versions. iApp Template version f5.citrix_vdi.v2.4.6 Deployment Guide version 2.4 (see Document Revision History) Last updated 17-08-2022 Note: Make sure you are using the most recent version of this deployment guide, available at http://f5.com/pdf/deployment-guides/citrix-vdi-iapp-dg.pdf If you are looking for older versions of this or other deployment guides, check the Deployment Guide Archive tab at: https://f5.com/solutions/deployment-guides/archive-608 To provide feedback on this deployment guide or other F5 solution documents, contact us at [email protected]. Contents What is F5 iApp? 3 Prerequisites and configuration notes 3 Service ports used by Citrix with the BIG-IP system 4 Deployment Scenarios 5 Using the BIG-IP APM with Dynamic Webtops to replace Web Interface or StoreFront servers 5 Using the BIG-IP APM and Web Interface or StoreFront servers 5 Using the BIG-IP LTM 6 Downloading and importing the new iApp template 7 Upgrading an Application Service from previous version of the iApp template 7 Configuring the BIG-IP iApp for Citrix XenApp or XenDesktop 8 Modifying the Citrix configuration 29 Next steps 32 Modifying DNS settings to use the BIG-IP virtual server address 32 Modifying the iApp configuration 32 Viewing statistics 32 Troubleshooting 33 Configuring the BIG-IP system for Citrix using BIG-IP APM and Route Domains 37 Configuring SmartAccess in the Citrix Broker 38 SmartAccess configuration for Citrix 38 Additional steps if integrating with StoreFront or Web Interface servers 39 Appendix A: Citrix server changes required to support smart card authentication 41 Appendix B: Manual configuration table 48 BIG-IP APM configuration table 48 Health monitor configuration 59 Editing the Access Profile with the Visual Policy Editor 61 Manually configuring the BIG-IP Advanced Firewall Module to secure your Citrix deployment 73 Configuring additional BIG-IP settings 78 Document Revision History 79 F5 Deployment Guide 2 Citrix XenApp and XenDesktop Why F5 While Citrix XenApp and XenDesktop products provide users with the ability to deliver applications “on-demand to any user, anywhere,” the BIG-IP secures and scales the environment, and can act as a replacement for Web Interface or StoreFront servers. In a Citrix environment, the BIG-IP LTM provides intelligent traffic management and high-availability by monitoring and managing connections to the Citrix Web Interface or StoreFront servers and the Citrix XML Broker or Desktop Delivery Controller (DDC) components. In addition, the built-in performance optimization capabilities of the LTM provide faster operations to facilitate a better end-user experience. The LTM also keeps persistence records for certain connections to always be directed to the same server for a specified period of time, to ensure that the workflow in the CItrix environment is fully preserved. Additionally, the BIG-IP system can securely proxy Citrix ICA traffic, using TCP optimization profiles which increase overall network performance for your application. You also have the option to configure the BIG-IP APM with smart card authentication or with two factor authentication using RSA SecurID. For an additional layer of security, you can use the BIG-IP Advanced Firewall Manager (AFM). The classic deployment of Citrix XenApp and XenDesktop allows organizations to centralize applications; this guide describes configuring access and delivering applications as needed with the BIG-IP system. What is F5 iApp? New to BIG-IP version 11, F5 iApp is a powerful new set of features in the BIG-IP system that provides a new way to architect application delivery in the data center, and it includes a holistic, application-centric view of how applications are managed and delivered inside, outside, and beyond the data center. The iApp template for Citrix VDI acts as the single-point interface for building, managing, and monitoring these Citrix deployments. For more information on iApp, see the F5 iApp: Moving Application Delivery Beyond the Network White Paper: http://www.f5.com/pdf/white-papers/f5-iapp-wp.pdf. Prerequisites and configuration notes The following are general prerequisites and configuration notes for this guide: ► The configuration described in this deployment guide is supported by F5. F5 Technical support can help validate the configuration described in this guide if necessary, but your environment may have other factors which may complicate the configuration. If you need additional guidance or help with configuration that is not included in this guide, we recommend you consult your F5 FSE, check DevCentral (https://devcentral.f5.com/) and AskF5 (https://support.f5.com/), or contact F5 Professional Services (https://f5.com/support/professional-services) to discuss a consulting engagement. If you believe you have found an error in this guide, contact us at [email protected]. ► This guide was written for the Citrix versions called out in the table on page 1. If you are using a previous version, see the deployment guide index on F5.com (https://f5.com/solutions/deployment-guides). ► The previous Citrix deployment guide for iApp version 2.3.0 has been archived. See the Archive tab if you need to view that document: https://f5.com/solutions/deployment-guides/archive-608 ► IMPORTANT: If you are using two-factor authentication, be sure to see Modifying the configuration if using two-factor auth and BIG-IP 11.6 HF-5 or later HF on page 33. ► This document is written with the assumption that you are familiar with both F5 devices and Citrix XenApp or XenDesktop products. For more information on configuring these devices, consult the appropriate documentation. ► For this deployment guide, the BIG-IP system must be running version 11.4 or later. Version 11.4 has a number of fixes, features, and performance enhancements not found in earlier v11 versions. If you are using a previous version of the BIG-IP LTM system, see the Deployment Guide index on F5.com. This guide does not apply to previous versions. ► The majority of this document provides guidance for the iApp for your Citrix deployment. For users familiar with the BIG-IP system, there are manual configuration tables at the end of this guide. Because of the complexity of the configuration, we strongly recommend using the iApp template. ► If using APM versions 11.6.0 - 11.6.0 HF3, 11.5.0 - 11.5.2 HF1, or 11.4.1 - 11.4.1 HF8, you may experience an out-of- bounds memory vulnerability. See https://support.f5.com/kb/en-us/solutions/public/k/43/sol43552605.html for complete F5 Deployment Guide 3 Citrix XenApp and XenDesktop information. ► You can optionally configure the APM with smart card authentication or with two-factor authentication using RSA SecurID. » If deploying two factor authentication using SecurID, you must have an existing SecurID AAA Server object on the BIG-IP APM to use this option. This AAA Server must include your SecurID Configuration file. You must also configure the BIG-IP system as a standard authoritative agent on the RSA Authentication server. For specific information on configuring the RSA server, consult the appropriate RSA documentation. » If deploying smart card authentication, be sure to see Appendix A: Citrix server changes required to support smart card authentication on page 42. Note we currently do not support smart card authentication with StoreFront version prior to 2.5; only Web Interface server 5.4 and StoreFront 2.5 and later are supported. ► In the configuration described in this guide, domain pass-through is required if using smart cards with Kerberos authentication. Domain pass-through is only supported in StoreFront 2.5 and later, therefore previous versions of StoreFront are not supported for this scenario. ► If using Web Interface servers, Citrix Session configuration must be set to Direct mode (see Figure 1). For specific information on configuring the Citrix Session mode, see the Citrix documentation. ► The iApp template now supports using the BIG-IP Manager role to deploy the iApp template for LTM and some APM features. When deploying with the Manager role, the iApp does not show any APM two-factor authentication options. ► If your SSL key is password protected, it will not appear as a selectable option in the iApp template. To use a password protected key, you must manually create a Client SSL profile outside the iApp template and then select it from the list. See Local Traffic > Profiles > SSL > Client to create an Client SSL profile. You can add the passphrase while creating the profile. ► In BIG-IP v13.1 and later, full StoreFront replacement mode is supported and configurable in the iApp template. Service ports used by Citrix with the BIG-IP system Use the following table for guidance on which ports should be open on your Firewall to allow traffic to and from the BIG-IP system. This table is provided for reference only; consult your firewall administrator for details. Firewall Port table Configuration Service or Protocol Name Port Source Destination BIG-IP Virtual Server Address for Secure Web Connections 443 Citrix Receiver Client Network Client Connections Web Connections (secure or Storefront or Web 5.4 server 443 or 80 BIG-IP Citrix XML or DDC servers insecure) replacement using APM 1494 or Application and Virtual Desktop ICA Display Protocol 2598 (if session BIG-IP Resources reliability enabled) BIG-IP Virtual Server Address for Secure Web Connections 443 Citrix Receiver Client Network Client Connections 443 or 80 StoreFroSnetr voerr sW eb 5.4 BIG-IP XML VS address Web Connections (secure or Storefront or Web 5.4 server insecure) 443 or 80 BIG-IP Citrix XML or DDC servers integration using APM 443 or 80 BIG-IP StoreFront or Web 5.4 Servers 1494 or Application and Virtual Desktop ICA Display Protocol 2598 (if session BIG-IP Resources reliability enabled) BIG-IP Virtual Server Address for Secure Web Connections 443 Citrix Receiver Client Network Client Connections 443 or 80 StoreFroSnetr voerr sW eb 5.4 BIG-IP XML VS address Web Connections (secure or Load Balancing only using LTM insecure) 443 or 80 BIG-IP Citrix XML or DDC servers 443 or 80 BIG-IP StoreFront or Web 5.4 Servers 1494 or Application and Virtual Desktop ICA Display Protocol 2598 (if session Citrix Receiver Client Network Resources reliability enabled) F5 Deployment Guide 4 Citrix XenApp and XenDesktop Deployment Scenarios This section describes the three main scenarios described in this document. Using the BIG-IP APM with Dynamic Webtops to replace Web Interface or StoreFront servers In this scenario, the BIG-IP APM Dynamic Presentation Webtop functionality is used to replace the Citrix Web Interface or StoreFront tier. With BIG-IP APM, a front-end virtual server is created to provide security, compliance and control. The iApp template configures the APM using Secure ICA Proxy mode. In secure ICA proxy mode, no F5 BIG-IP APM client is required for network access. The BIG- IP system uses SSL on the public (non-secure) network and ICA to the servers on local (secure) network. Through the setup of a secure proxy that traverses APM, remote access for user sessions originating from desktops or mobile devices is possible. Secure proxy mode has many benefits to both users and administrators. For administrations, APM user authentication is tied directly to Citrix’s Active Directory store allowing for compliance and administrative control. For users, TCP optimization and application delivery, plus the need for only the Citrix client, creates a fast and efficient experience. Internal Citrix clients LTM APM Clients Internet or WAN Proxy ICA Traffic BIG-IP Platform Citrix Application kro SVeirtruvaelr sD (eICskAto) posr w te N la n retn I Citrix XML Broker or DDC Servers Figure 1: Using the BIG-IP APM to replace the Web Interface or StoreFront servers Using the BIG-IP APM and Web Interface or StoreFront servers This scenario is very similar to the previous one. However, in this example, the BIG-IP APM, while still proxying ICA traffic and authenticating users, is not replacing the Web Interface or StoreFront devices. Citrix Web Interface or Internal StoreFront Servers Citrix clients Clients Internet or WAN LTM APM Citrix Application Proxy Servers (ICA) or ICA Virtual Desktops Traffic BIG-IP Platform k row te N la n retnI Coitrr iDxD XCM SL eBrrvoekres r Figure 2: Using the BIG-IP APM with Web Interface or StoreFront servers F5 Deployment Guide 5 Citrix XenApp and XenDesktop Using the BIG-IP LTM This configuration example describes the typical configuration of the BIG-IP LTM system to monitor and manage the critical components of a Citrix XenApp or XenDesktop environment, namely the Web Interface or StoreFront servers and the XML Broker or DDC servers. In this implementation, traffic to the Citrix Web Interface or StoreFront servers and the Citrix XML Broker or DDC servers is managed by the F5 BIG-IP LTM system, and when necessary, ensures that each client connects to the same member of the farm across multiple sessions using persistence on the BIG-IP LTM. The F5 BIG-IP LTM system is also setup to monitor the Citrix Web Interface servers and Citrix XML Broker servers to ensure availability and automatically mark down servers that are not operating correctly. The ability to terminate SSL sessions in order to offload this processing from the Citrix devices is also available with a simple addition of the Client SSL profile to the web interface virtual server referred to in this guide. CitIrnixte crnlieanl ts Clients Internet or WAN LTM LTM Citrix XML Brokers hosting published applications or BIG-IP Platform BIG-IP Platform Citrix XenDesktop Delivery Controllers Citrix Web Interface or (DDC) StoreFront Servers krow teN lan retnI Figure 3: Logical configuration example F5 Deployment Guide 6 Citrix XenApp and XenDesktop Downloading and importing the new iApp template The first task is to download and import the new Citrix XenApp and XenDesktop iApp template. To download and import the iApp 1. Open a web browser and go to downloads.f5.com. 2. Click Find a Download. 3. In the BIG-IP F5 Product Family section, click iApp Templates. 4. On the Product Version and Container page, click iApp-Templates. 5. Accept the EULA, and then download the iapps zip file to a location accessible from your BIG-IP system. 6. Extract (unzip) the f5.citrix_vdi.v<latest version>.tmpl file. 7. Log on to the BIG-IP system web-based Configuration utility. 8. On the Main tab, expand iApp, and then click Templates. 9. Click the Import button on the right side of the screen. 10. Click a check in the Overwrite Existing Templates box. 11. Click the Browse button, and then browse to the location you saved the iApp file. 12. Click the Upload button. The iApp is now available for use. Upgrading an Application Service from previous version of the iApp template If you configured your BIG-IP system using a previous version of the downloadable iApp template, we strongly recommend you upgrade the iApp template to this current version. When you upgrade to the current template version, the iApp retains all of your settings for use in the new template where applicable. You may notice new questions, or questions that have been removed. For example, in v2.4.0 and later, the SNAT Pool questions no longer appear. To upgrade an Application Service to the current version of the template 1. On the Main tab, expand iApp and then click Application Services. 2. From the list, click the name of the Citrix Application Service you created using the previous version of the template. 3. On the Menu bar, click Reconfigure. 4. In the Template Selection area, from the Template row, click the Change button. 5. From the Template list, select the new Citrix iApp template you downloaded. 6. Review the answers to your questions in the iApp. You may modify any of the other settings as applicable for your implementation. Use the inline help and this deployment guide for information on specific settings. 7. Click Finished. The upgrade is now complete and all applicable objects appear in the Component view. F5 Deployment Guide 7 Citrix XenApp and XenDesktop Configuring the BIG-IP iApp for Citrix XenApp or XenDesktop Use the following guidance to help you configure the BIG-IP system for XenApp or XenDesktop using the BIG-IP iApp template. Getting Started with the iApp To begin the iApp Template, use the following procedure. To start the iApp template 1. Log on to the BIG-IP system. 2. On the Main tab, expand iApp, and then click Application Services. 3. Click Create. The Template Selection page opens. 4. In the Name box, type a name. In our example, we use Citrix-XenApp-. 5. From the Template list, select f5.citrix_vdi.v<latest version>. The Citrix template opens. Advanced options If you select Advanced from the Template Selection list, you see Sync and Failover options for the application. This feature, new to v11, is a part of the Device Management configuration. This functionality extends the existing High Availability infrastructure and allows for clustering, granular control of configuration synchronization and granular control of failover. For more information on Device Management, see the Online Help or product documentation. 1. Device Group To select a specific Device Group, clear the Device Group check box and then select the appropriate Device Group from the list. 2. Traffic Group To select a specific Traffic Group, clear the Traffic Group check box and then select the appropriate Traffic Group from the list. F5 Deployment Guide 8 Citrix XenApp and XenDesktop General This section of the iApp template asks general questions about the deployment and iApp options. 1. Do you want to see inline help? Select whether you want to see informational and help messages inline throughout the template. If you are unsure, we recommend leaving the default, Show inline help text. Important and critical notes are always shown, no matter which selection you make. • Yes, show inline help text Select this option to show inline help for most questions in the template. • No, do not show inline help text Select this option if you do not want to see inline help. If you are familiar with this iApp template, or with the BIG-IP system in general, select this option to hide the inline help text. 2. Which configuration mode do you want to use? Select whether you want to use F5 recommended settings, or have more granular, advanced options presented. • Basic - Use F5’s recommended settings In basic configuration mode, options like load balancing method, parent profiles, and settings are all set automatically. The F5 recommended settings come as a result of extensive testing with Citrix applications, so if you are unsure, choose Basic. • Advanced - Configure advanced options In advanced configuration mode, you have more control over individual settings and objects, such as server-side optimizations and advanced options like Slow Ramp Time and Priority Group Activation. You can also choose to attach iRules you have previously created to the Citrix application service. This option provides more flexibility for advanced users. Advanced Advanced options in the template are marked with the Advanced . If you are using Basic/F5 recommended icon: settings, you can skip the questions with this icon. 3. Use APM to securely proxy application (ICA) traffic and authenticate users into your Citrix environment? Select whether you are using BIG-IP APM to securely proxy application traffic and authenticate users. • Yes, proxy ICA traffic and authenticate users with the BIG-IP If you select Yes, you must have APM fully licensed and provisioned on this system. Later in the iApp, you have the option of configuring this BIG-IP system to proxy ICA traffic and authenticate users and then send traffic directly to the Citrix servers. While not a part of this iApp template and outside the scope of this document, you could alternatively configure the system to send traffic to a separate BIG-IP system running LTM. To accomplish this, you would configure the APM device with a single pool member: the IP address of a BIG-IP running LTM. • No, do not proxy ICA traffic and authenticate users with the BIG-IP If you select No, the iApp configures the BIG-IP system for intelligent traffic direction and high availability for the Citrix servers. Later in the iApp you have the option of directing all ICA traffic through this BIG-IP system for security, logging, or network topology purposes. 4. What is the Active Directory NetBIOS Domain Name used for your Citrix servers? Type the Active Directory Domain name in NetBIOS format. This is the Windows domain used to authenticate Citrix user accounts. BIG-IP Access Policy Manager If you chose to proxy ICA traffic and authenticate users with the BIG-IP system, in this section you configure the BIG-IP APM options. If you do not see this section, continue with Virtual Server for Web Interface or StoreFront Servers on page 18. 1. Should the BIG-IP APM support smart card authentication for Citrix access? The BIG-IP APM supports clients authenticating to the Citrix Web Interface or StoreFront servers using smart cards. Select whether your Citrix clients will use smart cards to access the Citrix implementation. Smart card authentication is not supported when using StoreFront versions prior to 2.5; only Web Interface server 5.4 and StoreFront v2.5 and later are supported. i Important Be sure to see Appendix A: Citrix server changes required to support smart card authentication on page 42 for important guidance on configuring your Citrix and Active Directory devices. If you are using smart card authentication, go directly to Yes, BIG-IP APM should support smart card authentication on page 12. F5 Deployment Guide 9 Citrix XenApp and XenDesktop • No, BIG-IP APM should not support smart card authentication Select this option if you do not require the BIG-IP system to support smart card authentication. If you want the BIG-IP system to support smart card authentication, continue with Yes, BIG-IP APM should support smart card authentication on page 12. a. Do you want to replace Citrix Web Interface or StoreFront servers with the BIG-IP system? You can use the BIG-IP system to eliminate the need for the Citrix Web Interface or StoreFront servers altogether. • No, do not replace the Citrix Web Interface or StoreFront servers Select this option if you do not want to use the BIG-IP system to replace the Web Interface or StoreFront servers from your environment. • Yes, replace Citrix Web Interface or StoreFront servers with the BIG-IP system Select this option if you want the BIG-IP system to replace the need for Citrix Web Interface or StoreFront servers. This configures the BIG-IP system with APM and uses a single HTTPS (port 443) virtual server to provide proxy authentication and secure remote access to XenApp or XenDesktop services without requiring the use of an F5 Edge Client. It also provides the option of using BIG-IP Dynamic Presentation Webtop functionality to replace Citrix Web Interface or StoreFront servers in the Virtual Server for Web Interface or StoreFront servers section. For this scenario to work properly, the BIG-IP system must have connectivity to a Citrix XML Broker or DDC server. a. Select the type of Citrix Access Method you want to use Choose whether you want the Citrix Receiver clients to use PNAgent (XenApp Services) or StoreFront-based access protocol for publishing applications from Citrix XML Broker or DDC server. • Use Citrix PNAgent based access Select this option if you want Citrix Receiver clients to use PNAgent-based access protocol for publishing applications from Citrix XML Broker or DDC server. • Use StoreFront based access Select this option if you want Citrix Receiver clients to use StoreFront-based access protocol for publishing applications from Citrix XML Broker or DDC server. Selecting this option enables the BIG-IP APM to act as a full StoreFront replacement. b. Create a new AAA object or select an existing one? The AAA Server contains the authentication mechanism for the BIG-IP APM Access Policy. Select whether you want to the template to create a new BIG-IP APM AAA Server object, or if you have already created an AAA object for XenApp or XenDesktop on the BIG-IP system. • Select the AAA Server you created from the list If you have previously created an AAA Server for your Citrix implementation, select that object you created from the list. Continue with c. Do you want the BIG-IP system to proxy RSA SecurID for two-factor authentication? on page 11. • Create a new AAA Server object Select this default option for the template create a new Active Directory AAA Server object for the Citrix environment. a. What is the Active Directory FQDN for your Citrix users? Type the Active Directory domain name for your XenApp or XenDesktop implementation in FQDN (fully qualified domain name) format. b. Which Active Directory servers in your domain can this BIG-IP system contact? Type both the FQDN and IP address of all Active Directory servers in your domain that this BIG-IP system can contact. Make sure this BIG-IP system and the Active Directory servers have routes to one another and that firewalls allow traffic between the two. Click Add to include additional servers. c. Does your Active Directory domain allow anonymous binding? Select whether anonymous binding is allowed in your Active Directory environment. • Yes, anonymous binding is allowed Select this option if anonymous binding is allowed. No further information is required. • No, credentials are required for binding If credentials are required for binding, you must specify an Active Directory user name and password for use in the AAA Server. a. Which Active Directory user with administrative permissions do you want to use? Type a user name with administrative permissions. b. What is the password for that user? Type the associated password. F5 Deployment Guide 10 Citrix XenApp and XenDesktop

Description:
Oct 6, 2014 Welcome to the F5 deployment guide for Citrix® VDI applications, 2 XenApp and XenDesktop 7.6 and 7.5, and StoreFront 2.6 and 2.5 require
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.