Jump to content
Welcome to our new Citrix community!
  • 0

Can Not Configure Citrix Workspace / Receiver with F5 Big IP


Bryan Bell

Question

Currently when a user outside of our network configures the Workspace application or Receiver application on a tablet or computer they can not connect to our storefront. 

 

If I don't configure Workspace or Receiver and just use the outside beacon URL, I will get to to the F5 login. After typing in my domain username and password, I'm forwarded to the storefront, choose a app or desktop, it downloads the ICA file, and I can open the ICA with the Workspace app.  Great a work around... but not always; iPhone users are not having that good luck.  iPhone users are telling me they are not able to do this workaround.

 

Is there something that anyone is aware of that could be causing the root issue, a fix with out removing the F5?  Security folks are all about needing F5.

 

Don't know that these screenshots will help at all but these are from my current settings on storefront.

Pic1.jpg

Pic2.jpg

Edited by bbell477
Spelling and added screenshots.
Link to comment

8 answers to this question

Recommended Posts

  • 0
13 minutes ago, Carl Stalhood1709151912 said:

Are you doing two-factor with two fields?

 

What is your internal beacon? Make sure the internal beacon is only reachable from the inside.

No just domain username and password. 

 

I just tried our internal beacon from my phone (connected to cell carrier only), got to the F5 login screen when using the chrome browser.   I'll go talk to our network/DNS/f5 guy.

Edited by bbell477
Bad question removal. Added detail about how I got to F5 login screen
Link to comment
  • 0
Just now, Carl Stalhood1709151912 said:

Correct. In StoreFront console, go to Manage Beacons. Change the internal beacon to something that is internal only.

Our internal beacon was set to "Use the service URL" so I went ahead and specified the beacon address even though it was the same.  I'm still able to get to the F5 login page using the internal beacon.  I'm guessing we need to investigate the DNS on the Big IP?

Link to comment
  • 0
1 hour ago, Carl Stalhood1709151912 said:

If your service URL (StoreFront Base URL) is identical to your F5 APM URL, then you need to pick a different internal URL.

I haven't been able to speak with our network admin yet about making sure we can not get to the internal beacon from the outside.  While I'm waiting for him I wanted to confirm, our external URL should be pointing to my controllers or my storefronts (separate servers)? 

Link to comment
  • 0
3 hours ago, Bryan Bell said:

Our internal beacon was set to "Use the service URL" so I went ahead and specified the beacon address even though it was the same.  I'm still able to get to the F5 login page using the internal beacon.  I'm guessing we need to investigate the DNS on the Big IP?

He made the change, now you can not reach the internal beacon from outside.  I again made sure this was the case by using my phone chrome web browser.  I used the external beacon in my phones web browser and got to the F5 login.  I also ensured that I could still use the internal beacon for inside the network. 

 

Then I went to workspace and entered in the external beacon as the store URL, still getting an error message after typing in my domain username and password: "Error Citrix Workspace could not verify the specified server or email address Error Code 451".   I clicked the "ok" button on the error, was shown the welcome page in the Workspace app, I clicked the "x" at the top left and the "Accounts" page showed with a "Store" account.  The "Account URL" was my internal beacon but the "pick gateway" and "Current default gateway URL" was my external beacon.

 

I deleted the account using the trashcan icon.

 

I tried using my email address and got the error, "Error Specified server or email address could not be validated Error Code 401".  I clicked the "ok" button on the error, was shown the welcome page in the Workspace app, I clicked the "x" at the top left and the "Accounts" page showed, but accounts were listed.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...