Forum Discussion

alex100's avatar
alex100
Icon for Cirrostratus rankCirrostratus
Jul 12, 2016

Seamless failover for Citrix ICA tunnel

We have a Citrix XenApp environment behind APM (11.6) deployed using Citrix iAPP template. APM acts as ICA proxy and we also employ WEB UI servers on the Citrix side of things. It looks like Citrix Receiver disconnects in the middle of the session in the event of Big-IP failing over from active to stand by. In terms of VS configuration we offloading SSL so we are unable to mirror the connections due to V11 limitations. We are also using "cookie" persistence profile with source IP as fallback. I am trying to understand what can be done to avoid Citrix Receiver dropping the connection in case of HA pair failing over. Has anyone been successful trying to achieve seamless fail over for Citrix ICA tunnel?

 

  • Nath's avatar
    Nath
    Icon for Cirrostratus rankCirrostratus

    Guys any update on this, I am doing right now the CItrix to F5 Migration and saw this kind of configuration on the NS "set ica parameter -EnableSRonHAFailover YES"

    Anyone tried connection mirroring for ICA session and how F5 behaves on this?

     

    Thank you.

    Nat

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    Yes, SSL mirroring is supported in v12.* only. See: https://support.f5.com/kb/en-us/solutions/public/17000/300/sol17391.html .

     

    If you can't/don't want to upgrade to v12.*, you can use connection mirroring instead, and the client normally should be able to re-negotiate an SSL connection of itself - unless you configure your service not to allow it, of course.

     

  • Arnaud,

     

    Any update on the session reliability for ICA tunnel? I am under impression that in my case, in order to have a seamless failover, it is necessary to mirror the connection table. I understand that since we are offloading SSL on Big-IP we have to be able to mirror SSL connections which is only supported in version 12.X? Would your be able to confirm my theory?

     

  • Hello Alex, will try to find info but session reliability is something we support if we reverse proxy the web interface (no webtop).