Forum Discussion

Gerald_G__Young's avatar
Gerald_G__Young
Icon for Nimbostratus rankNimbostratus
Jul 10, 2012

F5 LTM and Citrix Secure Gateway

I have a couple of CSG/WI servers that I need to load balance through the F5 LTM. I've been told I'm not able to place the SSL certificate for the CSGs on the LTM, even if its configured to perform SSL-to-SSL bridging.

 

 

That being said, are there any other caveats that I need to be aware of when setting up the configuration? Or is it as straight forward as:

 

 

Create nodes.

 

Create pool.

 

Create virtual servers.

 

 

HTTPS is pretty simple. I'm more worried about Citrix's proprietary ICA protocol.

 

 

Any guidance will be greatly appreciated.

 

 

I'm running BIG-IP 10.2.0 Build 1707.0 Final (yes I know it's old but the last time I checked with support about upgrading, they recommending waiting).

 

  • GaryZ_31658's avatar
    GaryZ_31658
    Historic F5 Account
    Gerald,

     

     

    What version of Citrix are you running?

     

    Do you want to replace CSG?

     

     

    We have a complete solution around delivering ICA to clients including Receiver Clients. There are several customers that have this solution in production today. Some deployments use F5 in front of WebInterface Server while others choose to completely replace WI and let F5 work directly with XML Broker.

     

     

    I would need to understand your requirements a little better to give you more detailed guidance. We also have some good reading material on www.f5.com (deployment guides etc...).

     

     

    Point your browser to: http://www.f5.com/citrix

     

     

    As far as upgrading... Version 11 has been in production release for almost a full year. Version 11.2 is the current supported release and I am not aware of any stability issues. Also, there have been some significant Citrix specific enhancements built into Version 11 that you may want to take advantage of.
  • I have CSG 3.3 and WI 5.4 colocated on two servers. These servers will talk to some backend XenApp 6.5 boxes.

     

     

    I need to configure a VS on our F5 to load balance client traffic destined to the CSG boxes. This traffic uses 443.

     

     

    I'm looking for any caveats in load balancing the CSGs.

     

     

    Thanks again.
  • Michael,

     

     

    Thanks. That did the trick (as well as disabling Nagle on the client profile).
  • Just would like to confirm what I seem to understand on this discussion of putting the LTM in front of the (old) citrix secure gateways. You said " I've been told I'm not able to place the SSL certificate for the CSGs on the LTM, even if its configured to perform SSL-to-SSL bridging."

     

    Does this mean that you simply set the LTM to Layer 4 to the pool of Citrix Secure Gateway servers? That is, the F5 LTM cannot terminate the SSL.

     

    I have tried to setup with the F5 terminating the SSL. The Web Interface works fine, but it seems I cannot launch any applications (ICA) from the menu.

     

    We have to get rid of these old servers, but until then we have an expiring certificate and I was hoping I could terminate on the LTM with our wildcard. Perhaps not!

     

    Thanks in advance for any detail on this setup.

     

  • Your assessment is correct. It's not that you technically cannot offload the SSL, but that CSG will break if you don't do it exactly right. The standard mechanism is to just create a layer 4 load balancing VIP for CSG (no client or server SSL profiles). What wasn't mentioned in this post, however, is that you can actually use SSL sessionid persistence with CSG. SSL persistence usually doesn't work for things like browser sessions, because browsers will randomly renegotiate SSL. The Citrix agent, however, does not renegotiate by default. Many years ago I managed a pretty big Citrix farm with CSGs, and this was the standard and problem-free method we used.

     

  • Thanks, Kevin. You validated what I had suspected. Thanks for the tip on alternate persistence, I'm not sure we will change what we have unless it stays longer than I hope. DevCentral is a fantastic resource.