Skip to main content
tbutler
tbutler
New Member
January 22, 2026
Question

How to configure Fortiadc to load balance Citrix gateway servers and launch applications.

  • January 22, 2026
  • 4 replies
  • 575 views

Configuring FortiADC to load balance Citrix gateway servers.  Access works internally but the requirement is for  internet accessible.  The FortiADC has no public exposure - the private vip is being nat'd at the edge firewall.  Reviewed documentation posted at ==>  https://docs.fortinet.com/document/fortiadc/8.0.0/fortiadc-on-citrix-vdi-deployment-guide/365130/reference-network-topology-used-in-the-examples-of-solution-2

 

The storefront access works as expected but the ica file is not being rewritten once you launch an application. 

 

Any assistance would be appreciated.

4 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
January 25, 2026

Hello tbutler, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
January 26, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
January 28, 2026

Hello tbutler,

 

I found this solution. Can you tell us if it helps, please?

 

To configure FortiADC to load balance Citrix Gateway servers and ensure the ICA file is rewritten correctly, follow these steps:

 

  1. Configure the Virtual Server:

    • Set up a virtual server on FortiADC with a private VIP that is NAT'd at the edge firewall for internet access.
    • Ensure the virtual server is configured to handle both HTTPS and WebSocket traffic.

  2. Create Server Pools: Create server pools for your Citrix Gateway servers. Include all the Citrix Gateway servers that need to be load balanced.

  3. Add an HTTP Script:

    • Add an HTTP script to modify the ICA file. This script should replace internal IP addresses with the FortiADC's VIP and update the FQDN to match the StoreFront domain.
    • Ensure the script is correctly attached to the virtual server handling the StoreFront traffic.

  4. Configure Decompression Rule: Set up a decompression rule to decompress HTTP responses from the URI used by StoreFront to deliver ICA files. This allows FortiADC to intercept and rewrite the ICA file content.

  5. Edit Application Profile: Add the decompression rule to the existing HTTPS Application Profile.

  6. Content Routing Rules: Create content routing rules to forward traffic to the StoreFront and VDA servers based on the content of the HTTP Host Header.

  7. Enable WebSocket: Ensure WebSocket settings are enabled on the Citrix VDI side to handle WebSocket traffic.

  8. Verify NAT Configuration: Ensure that the NAT configuration on the edge firewall is correctly set up to forward traffic to the FortiADC's private VIP.

 

By following these steps, you should be able to configure FortiADC to load balance Citrix Gateway servers and ensure the ICA file is rewritten correctly when launching applications. If the ICA file is still not being rewritten, double-check the HTTP script and ensure it is correctly modifying the necessary fields.

Jean-Philippe - Fortinet Community Team
tbutler
tbutlerAuthor
New Member
January 28, 2026

Thanks for responding … and I’ve followed those steps and I’m able to see the ica file is being rewritten but the launching applications is still not working. When I look at the packet-capture after launching an app, I can see my client initiating a connection but using the private host address which won’t work. I updated the http script to use the public ip as the proxy and only seeing SYN’s - when the vip is up/available. I will continue to review my scripts and config to find out where its amiss.

Kind Regards

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
January 29, 2026

Hello again tbutler,

 

I found this answer:

 

If the ICA file is being rewritten but the application launch is still not working due to the client using a private host address, consider the following steps:

 

  1. Verify ICA File Rewriting: Ensure that the HTTP script correctly replaces all instances of private IP addresses with the public IP or FQDN that the client should use. Double-check the logic in the script to ensure all necessary replacements are being made.

  2. Check NAT Configuration: Confirm that the NAT configuration on the edge firewall is correctly translating the public IP to the private VIP. Ensure that the firewall rules allow the necessary traffic.

  3. Review Proxy Settings: Ensure that the SSLProxyHost and any other proxy-related settings in the script are correctly configured to use the public IP or FQDN.

  4. Debugging: Use debug logs to trace the script execution and verify that all expected changes are being applied to the ICA file. Look for any errors or warnings in the logs that might indicate where the process is failing.

  5. Network Connectivity: Ensure that there are no network connectivity issues between the client and the public IP. Check for any firewall rules or network policies that might be blocking the connection.

  6. Test with Different Clients: Try launching the application from different client machines to rule out client-specific issues.

By systematically reviewing these areas, you should be able to identify where the configuration might be incorrect or incomplete.

Jean-Philippe - Fortinet Community Team
C
Christian-community
New Member
April 22, 2026

hi, were you able to make it work? i’m trying to do the same. the ica is correctly rewriten from the first script. but when it goes to the tcp virtual server, the stream script doesn’t seem to forward the connection to the internal VDA real server

Terms & ConditionsAccessibility statement