Web Interface "There is no Citrix Metaframe server configured on the subnet" : citrix, server, configured, address, web

May 17, 2008 08:01am pdt

1. BLipman 130,105
2. croberds 112,950
3. CarlWebster 36,810
4. tsmvp 24,872
5. oBdA 21,730
6. ScooterA... 17,175
6. mpfister 17,175
8. mgcIT 13,035
9. GregMoseley 9,518
10. nprignano 8,229
11. dpetr000 7,675
12. dphantom 7,560
13. chrisnew... 6,870
14. ET0000 6,400
15. JaredJ1 5,900

1. mgcIT 572,257
2. BLipman 345,957
3. chrisnew... 172,458
4. ITDharam 130,426
5. ET0000 115,897
6. CarlWebster 113,103
7. croberds 112,950
8. oBdA 95,983
9. gsgi 75,983
10. thegordo 73,434
11. ScooterA... 57,511
12. mpfister 56,074
13. tsmvp 55,597
14. AdamBNYC 53,999
15. nprignano 50,729

03.30.2006 at 08:32AM PST, ID: 21795472

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.2

Web Interface "There is no Citrix Metaframe server configured on the subnet"

Zone: Citrix

Tags: citrix, server, configured, address, web

Internally things work fine. Externally they get the error above. I know exactly whats wrong here but can't find the answer anywhere!!
My citrix servers are on my LAN behind my firewall.
My web interface server is on my lan behind my firewall as well.

The client is getting the launch.ica which contains a https:// connection to the local ip address rather than the external ip address of my fireall that i have port forwarded through.

I don't have CSG, I don't have Access gateway. Does anyone know how i get the web interface to hand off the ica connection with the right properties? I've looked all over the management and all over the web but haven't had any luck?
Thanks,

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: stamperb

Solution Provided By: mgcIT

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

03.30.2006 at 08:44AM PST, ID: 16334137

Rank: Sage

mgcIT:

Open the Access Suite Console (the Web Interface admin utility)

for your site click Manage secure client access > Edit DMZ Settings

Your default connection is probably set as "Direct"

The best way to set this up is to set the default to "Alternate" and then add additional rules for your internal LAN such as:

Client IP Address: 192.168.1.0 (or whatever your internal subnet is)
Mask: 255.255.255.0
Access Method: Direct

This way anyone coming from the outside will use the alternate addressing you have set up. However, if they go to the web interface using the internal address, it will just use the normal Direct access.

03.30.2006 at 08:55AM PST, ID: 16334271

stamperb:

OK I feel i'm on the right track here. So i've set up the following DMZ Settings:
Default - Alternate
172.16.0.0/20 - Direct

172.16.0.0/20 is my LAN.

Now from ouside i get an error right away when i try to connect at the bottom of the login screen that says:
ERROR An error has occured while connecting to the requested resource.

Do i have to setup any address translations?

Here is some more detail:

Internet -> Firewall -> Internal Router -> Web interface (172.16.0.10)
|
|-> Citrix Servers 10.11.34.2, 10.11.34.3, 10.11.34.4

I have port 443 forwarded thru to 172.16.0.10 on the lan for my Web Interface.

03.30.2006 at 09:14AM PST, ID: 16334489

Rank: Sage

mgcIT:

first of all what is the "/20".. I'm not familiar with that >> 172.16.0.0/20

secondly here's the steps you will need to take in order to have access externally:

1. set up an alternate address using the "altaddr" command on EACH of your PS 4.0 servers

2. set up the NAT in the firewall to point the external addresses (set up in step 1) to the internal IP Addresses of EACH of your citrix servers

3. open ports 1494, 80 (or whatever your xml port is), and 2598 (if using session reliability) on the firewall for EACH of the IP addresses

since you are not using Secure Gateway you need these ports open. It won't just pass through the web interface on 443. if you want to skip all that you can install SG.

03.30.2006 at 09:16AM PST, ID: 16334508

stamperb:

OK understandable. Next question then. Isn't doing what you said above pretty unsecure? I mean nothing is encrypted? Correct?
Thanks,

03.30.2006 at 09:19AM PST, ID: 16334535

Rank: Sage

mgcIT:

and sorry one more thing yes you have to set up address translations using the admin console:

Manage secure client access > Edit Address Translations

these are the same IP translations as step 1 & 2 above

03.30.2006 at 09:21AM PST, ID: 16334559

Rank: Sage

mgcIT:

>> Isn't doing what you said above pretty unsecure?

Although you can turn on encryption from the ICA Client / Citrix Farm yes I think it is. I would strongly suggest installing Secure Gateway (by the way what version of citrix are you running?). The first time you set up Secure Gateway it is a real pain and can be confusing but once you do it ( I suggest in a test environment first) it becomes pretty easy. That will give you the most security - everything will go over port 443 and you won't need to open all the ports on the firewall.

03.30.2006 at 09:47AM PST, ID: 16334813

stamperb:

Very good thats what i'm after anyway!!! I'm on a brand new farm w/ Presentation server 4.0.

Here is a what would you do for ya!!

I have 3 citrix servers. I have my Web Interface Server. How would you reccomend setting this up? See i'm short a server for a CSG box. I really don't wanna go back up asking for another 3K or something for this server i forgot about cause i didn't plan my deployment well enough? Could it be done w/ just the 3? Do i need the web Interface server if I use CSG (I'm assuming yes?).
THanks,
Brian

03.30.2006 at 09:57AM PST, ID: 16334906

stamperb:

Can csg and web interface possibly run on the same box? Just another thought. I'm trying to figure a way to make it work in the already purchased environment i have :-)

03.30.2006 at 10:06AM PST, ID: 16334996

Rank: Sage

mgcIT:

yes it can be on the same box

03.30.2006 at 10:23AM PST, ID: 16335197

Rank: Sage

mgcIT:

Here is the Admin guide: http://support.citrix.com/article/CTX106300

You'll probably want to go with a single-hop dmz method as that is the easiest to configure and requires less hardware. Once you have downloaded the SG 3.0 install files from mycitrix.com let me know and I can help you through the install.

03.30.2006 at 02:00PM PST, ID: 16337369

stamperb:

OK so a few questions:
I have my ssl cert on the current box for the web interface.
I installed the csg portion of things. Changed the SSL Port that IIS uses to 444 since CSG config was complaining about it being in use. Then came to the STA part. According to the directions of the setup i point this at my Presentation server 4.0? Now its looking for that /Scripts/CtxSTA.dll. Well IIS isn't even installed on my citrix box so i'm thinking somethings not right there.
That CtxSTA.dll exists in C:\program files\citrix\system32 on my presentation server but i'm still not thinkin thats right?

So is there something i need to do to install the STA on my presentation server?

03.30.2006 at 02:07PM PST, ID: 16337432

Rank: Sage

mgcIT:

short answer: NO

STA is automatically installed now when you install PS 4.0. And it won't use IIS so you don't need to configure that either. The main thing you need to worry about is the name & port of the STA servers. If your XML port is 80 then you don't need to worry about it but if not make sure to change it.

In the Web interface admin page you have to specify the STA servers as well. Again if the XML port is 80 just specify the FQDN name of your servers. Otherwise specify it like this:

server.myloc.hq:8080 (for example if your XML port is 8080).

03.30.2006 at 02:14PM PST, ID: 16337482

Rank: Sage

mgcIT:

I read that back and it sounded a little confusing so hopefully this will clear it up if you were confused.

When configuring Secure Gateway it will ask for you STA servers. Specify the FQDN name of all your PS 4.0 servers and also specify your XML port if it is something other than 80.

After that you will also need to specify the STA servers in the Web Interface Admin console. To do that click Manage Secure Client access > Edit Secure Gateway Settings. On this screen type in the FQDN name of your server and also specify the XML port if it's something other than 80. So it will look like this:

http://server.myloc.hq:8080/scripts/ctxsta.dll

or just:

http://server.myloc.hq/scripts/ctxsta.dll if your XML port is 80 (the default)

03.30.2006 at 02:26PM PST, ID: 16337565

stamperb:

OK my problem is when doing the STA for the CSG stuff.

When I put in the FQDN of the PS 4.0 Server I get the error:
The secure ticket authority can not be contacted.

To ignore the warning and enter the ID click continue.

If i click continue the ID field opens up but I don't know what to put there?

03.30.2006 at 02:43PM PST, ID: 16337672

Rank: Sage

mgcIT:

yea it should put the ID in automatically.

Are the servers on the same LAN?
Can you ping that FQDN from the Secure Gateway server?

are you checking the box that says "Secure traffic between..."? If so uncheck this and just specify your normal XML port.

03.30.2006 at 02:51PM PST, ID: 16337742

stamperb:

They are on diff. subnets but yes on the same lan. I can ping FQDN. However i have 3 servers and the 3rd one put the id in and went fine. Now i am getting errors in my event log about not being able to communicate w/ the config service on my first server. I'm going to give them a reboot and see if that helps.

03.30.2006 at 03:06PM PST, ID: 16337858

stamperb:

OK now back to step 1. When i go to connect i get to the page, get logged in, click to lauch my connection to the published desktop and get the error there is no citrix metaframe server configured on the specified address?

03.30.2006 at 03:18PM PST, ID: 16337938

Rank: Sage

mgcIT:

ok go back to the WI admin console:

for your site click Manage secure client access > Edit DMZ Settings

change default to Secure Gateway Alternate

Accepted Solution

03.30.2006 at 03:25PM PST, ID: 16337989

stamperb:

I thought of that but every time I try to change it it says it lost contact to the server. So i think maybe i have a problem w/ something on one of the PS 4.0 servers? It wouldn't even let me remove the site to re-add it.

03.30.2006 at 03:36PM PST, ID: 16338060

Rank: Sage

mgcIT:

does your site have a local configuration or centralized?

To see this click Local Site Tasks > Manage configuration source

or maybe it's just because you were rebooting your citrix servers and they haven't come back online yet.

03.30.2006 at 07:39PM PST, ID: 16339233

stamperb:

Its centralized. I'm gonna do some work on it now. See what i can come up with

03.30.2006 at 08:13PM PST, ID: 16339364

stamperb:

So i've got things going now. I'm not sure what caused all that but something w/ the setup stuff. Had to run configure for just each server individually and remove the config. Anyway back to being good now.

So in the address translation stuff. I need to set translation for the Secure gateway but what IP do I use for the LAN? The PS 4.0 addresses? or the Web Interface address? And then for the external do i put the external IP for my internet connection?

Thanks,

03.30.2006 at 08:14PM PST, ID: 16339370

stamperb:

Also what port external and what port internal for the translation?

03.31.2006 at 07:16AM PST, ID: 16343164

Rank: Sage

mgcIT:

well actually you probably don't need that now. Is your WI / SG server on the same subnet as the rest of your farm?

If so you can change the default access method to Secure Gateway Direct. Then you can get rid of all your address translations because it will just be using the internal addresses.

03.31.2006 at 08:36AM PST, ID: 16343980

stamperb:

THANKS SO MUCH!! I'VE GOT THIS ALL GOING!!

20080236-EE-VQP-29