Citrix and APM - Why?

The apm module provides the ica proxy functionality to replace either secure gateway or access gateway for your remote users. Eliminating the need to provide extra firewall holes to internal application servers hosting applications that external users are trying to run applications from.

APM performs pre authentication of user/clients against active directory or other AAA server configured to verify a user can first be authenticated. It then can provide either SSO to internal web interface servers or replace them by passing user credentials to the XML broker to then collect the applications the user is authorized to access.

Apm then returns the listed applications back to the clients browser or receiver client so then can click an application and start using it via ica proxy without any VPN or additional firewall holes by riding the ica traffic over the original ssl connection through apm.

Hope that helps.

Segregation of security from the citrix environment is the important part. Your citrix web interface servers tend to have more access into your production environment than would be best to allow someone to hit without it being authenticated first.

Lots of other reasons too... For example offloading the web interface to the browser (Lower footprint in your data centre). The BigIP just talks to the XMLBrokers directly... No WI required...

BigIP also does multiple authentications, lets you segregate by platform, verify client installations (Anti-Virus, Firewalls, Patch Levels etc).

H

Thanks nalb for your response, I appreciate that. How its setup now, (were not using secure or access gateway, nor do we need clients to access vpn for the apps), in production is the remote clients are authenticated by the citrix web interface server (via Active Directory), the wi then contacts the xml broker to see what the authenticated client has access too, the wi server then presents the client the ica connection with the apps approved. The client then makes a direct connection with the xml brokers (app farm) from that moment. It is currently setup as alternate Secure Access in the Citrix Web Interface Management. Clients receive an external IP address mapping from app server to client. The F5 citrix template requires direct connection.

So, it seems that the only difference between what you described and how its setup in my environment (please correct me if I'm wrong), is that currently we have nating on our firewall that goes directly from outside to internal citrix app server. Without using the APM module I could repoint the NAT rules from Outside to F5 to Internal, and all is the same, correct? Thanks for taking your time to explain since this is all new to me.

One last thing...

"client so then can click an application and start using it via ica proxy without any VPN or additional firewall holes by riding the ica traffic over the original ssl connection through apm."

Does that above sentence mean that the only NAT I would need in the firewall is the citrix.domain.com IP to the F5 and all other application traffic would travel back and forth through the client on the original ssl connection (citrix.domain.com)?

Thanks Hamish, I just saw your response. How could the APM replace the web interface server if the Citrix IIS website is on the web interface server? I found some documentation on this website that explains the APM in general terms but I cant seem to find any good ones or a good video that can explain how F5 and the APM can replace, provide better security etc for current Citrix environments. If you know of any please them along.

no you could not simply change the nat settings from your app servers today to the f5 without apm. what apm provides with ica proxy is the ability to eliminate the direct nats for the application servers to provide greater security for the backend citrix environment.

it also eliminates the need to have multiple ssl certificates running on all the internal app servers as well.

this is because apm would be the one and only connection point clients would need to resolve to by dns and encrypt with an ssl certificate and your firewall would only need to open one nat for port 443 so that the ssl connection from client hitting the apm/ltm vip could do the authentication and ICA proxy all together adding to the security layering by not allowing for direct port/network address translation to the application servers.

further more the APM also adds more security by applying token values to the sessions so access to the application servers cannot be replayed by someone simply clicking on some launch.ica file in the cache of a browser from something like a shared systems that multiple users could have access to so they cannot simply walk right through the firewall and into an application server without being asked to authenticate first.

apm add more granular authentication and identity of who is logged in and accessing the environment by making sure the users first supply their credentials to be authenticated by active directory and if they are successful then apm can forward them onto the wi/xml broker/application servers accordingly as needed throughout their transaction/session.

Hope that helps.

check out this video on youtube:

http://www.youtube.com/watch?v=wqf-l6bqGjQ&sns=em

or search youtube for

BIG-IP APM for Citrix XenApp and XenDesktop

With the APM since no direct nats are no longer needed, where do I reconfigure the xml broker servers to not look for the current nat statements and only look at the F5? Besides the firewall obviously, is there some place on the current citrix web interface or elsewhere where I need to tell the xml brokers not to look at the direct nat to communicate with the client. I want to choose one for testing.