Kylo Ren
asked on
Cannot connect to the Citrix XenApp server There is no Citrix XenApp server configured on the specified address
Hello, setup xenapp and internally it works fine. Externally only web interface works and is temp work around. Have xenapp setup as such.
1494
XML port
2598
80
Are all open on firewall
Altaddr /server: SERVERNAME /set localip public ip Command was run with proper variables.
Under dmz default is translated and local subnet (192.168.10.0 mask 255.255.255.0) is set as direct
Translation map translates all ports listed above (I dont think that all ports are necessary to list but i did it anyway) to public ip
Im somewhat confused at this point......What could i possibly be missing? Please advise. Thanks!!
1494
XML port
2598
80
Are all open on firewall
Altaddr /server: SERVERNAME /set localip public ip Command was run with proper variables.
Under dmz default is translated and local subnet (192.168.10.0 mask 255.255.255.0) is set as direct
Translation map translates all ports listed above (I dont think that all ports are necessary to list but i did it anyway) to public ip
Im somewhat confused at this point......What could i possibly be missing? Please advise. Thanks!!
Is there a reason you haven't installed Citrix Secured Gateway (CSG) in the DMZ? Your current install is completely open for hackers and all traffic can be viewed by anyone with a freeware packet sniffer...
My suggestion would be to install CSG on your External facing Web Interface site and configure it according to these two links:
Pre-install checklist: http://support.citrix.com/article/CTX116427
Admin Guide: http://support.citrix.com/article/CTX116425
In the Admin Guide you want to follow Scenario A - Single Hop DMZ setup.
You can also follow these guides for setting everything up:
http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html
http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html
Of course the above is just my very strong recommendation - should you chose to go forward as is make sure you are setup as follows:
This usually means that these servers need to have external IP address assigned, this can be worked around with NAT Assigned IP addresses on the firewall - but each server still needs it's own address.
For example (ips are just for examples):
Server A: Internal IP=10.0.0.1 Server B: Internal IP 10.0.0.2 Server C: Internal IP 10.0.0.3
Each server needs it's own address accessible from the Internet, so on your external firewall you would configure NAT address that translate public IPs to these internal IPs.
Server A: External IP=72.72.72.1 Server B: External IP=72.72.72.2 Server C: External IP=72.72.72.3
On each Citrix server you need to setup altaddr using the altaddr cmd (this tells Citrix it can accept requests sent to these addresses
Server A: altaddr /set 72.72.72.1
Server B: altaddr /set 72.72.72.2
Server C: altaddr /set 72.72.72.3
Now on the External Web interface, you would go to AMC > WI Site > Edit DMZ Settings > Use Alternate Address = Default, Direct = your internal IP Address Range (10.0.0.0/255.255.255.0 - from my example above).
Ports to open:
Internet to Web Interface: 80
Internet to Citrix Servers: 1494, 2598
Web Interface to Citrix Servers: 85 (your XML port)
After all this is setup you can test - but again I highly discourage that you install it this way - CSG should be included with your Citrix Software (check with Citrix to be sure) and the CSG setup cost you a simple SSL Cert every year... Well worth the investment.
My suggestion would be to install CSG on your External facing Web Interface site and configure it according to these two links:
Pre-install checklist: http://support.citrix.com/article/CTX116427
Admin Guide: http://support.citrix.com/article/CTX116425
In the Admin Guide you want to follow Scenario A - Single Hop DMZ setup.
You can also follow these guides for setting everything up:
http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html
http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html
Of course the above is just my very strong recommendation - should you chose to go forward as is make sure you are setup as follows:
This usually means that these servers need to have external IP address assigned, this can be worked around with NAT Assigned IP addresses on the firewall - but each server still needs it's own address.
For example (ips are just for examples):
Server A: Internal IP=10.0.0.1 Server B: Internal IP 10.0.0.2 Server C: Internal IP 10.0.0.3
Each server needs it's own address accessible from the Internet, so on your external firewall you would configure NAT address that translate public IPs to these internal IPs.
Server A: External IP=72.72.72.1 Server B: External IP=72.72.72.2 Server C: External IP=72.72.72.3
On each Citrix server you need to setup altaddr using the altaddr cmd (this tells Citrix it can accept requests sent to these addresses
Server A: altaddr /set 72.72.72.1
Server B: altaddr /set 72.72.72.2
Server C: altaddr /set 72.72.72.3
Now on the External Web interface, you would go to AMC > WI Site > Edit DMZ Settings > Use Alternate Address = Default, Direct = your internal IP Address Range (10.0.0.0/255.255.255.0 - from my example above).
Ports to open:
Internet to Web Interface: 80
Internet to Citrix Servers: 1494, 2598
Web Interface to Citrix Servers: 85 (your XML port)
After all this is setup you can test - but again I highly discourage that you install it this way - CSG should be included with your Citrix Software (check with Citrix to be sure) and the CSG setup cost you a simple SSL Cert every year... Well worth the investment.
ASKER
pfcjoker:
Thanks for the information and I completely agree, however i am new to citrix and before is start setting up csg feature, I need to have remote offices working asap. Having said that,
My citrix server only has one nic and has one to one nat translation setup on firewall. all ports are open and applications are enumerating "it says connection in progress and after that it crashes" any other suggestions? Im sorry if i missed the point. I do understand the security side but time is of the essence.
Thanks for the information and I completely agree, however i am new to citrix and before is start setting up csg feature, I need to have remote offices working asap. Having said that,
My citrix server only has one nic and has one to one nat translation setup on firewall. all ports are open and applications are enumerating "it says connection in progress and after that it crashes" any other suggestions? Im sorry if i missed the point. I do understand the security side but time is of the essence.
When you type altaddr on your one Citrix server what does it show?
From your client can you telnet to the following ports at your external facing IP:
1494
2598
Is your Web Interface server setup with Alternate Addressing as the default method? Does the direct connect have your IP/range?
Define crashes? Do you get a specific error? Are there any error/warnings in your Application/System eventlog on the Citrix server / Workstation at the time of "crash"?
From your client can you telnet to the following ports at your external facing IP:
1494
2598
Is your Web Interface server setup with Alternate Addressing as the default method? Does the direct connect have your IP/range?
Define crashes? Do you get a specific error? Are there any error/warnings in your Application/System eventlog on the Citrix server / Workstation at the time of "crash"?
ASKER
altaddr:
localhost - 192.168.10.101
alt address - Public IP
Local telnet: (Everything works internally)
1494 - Response = ICA
2598 - Response = blinking dash
Direct is setup as follows:
192.168.10.0 Mask 255.255.255.0
Default access method is translated
Translation map:
192.168.10.101 int port 1494 external ip external port 1494
SETUP THE SAME FOR XML, 2598 AND PORT 80
Crashing was some what misleading, error is:
Cannot connect to the Citrix XenApp server There is no Citrix XenApp server configured on the specified address
Thanks again
localhost - 192.168.10.101
alt address - Public IP
Local telnet: (Everything works internally)
1494 - Response = ICA
2598 - Response = blinking dash
Direct is setup as follows:
192.168.10.0 Mask 255.255.255.0
Default access method is translated
Translation map:
192.168.10.101 int port 1494 external ip external port 1494
SETUP THE SAME FOR XML, 2598 AND PORT 80
Crashing was some what misleading, error is:
Cannot connect to the Citrix XenApp server There is no Citrix XenApp server configured on the specified address
Thanks again
ASKER
Telnet from outside works the same
ASKER
these are all tcp ports as per citrix docs
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes. and then I deleted firewall translation rules in manager just to make sure there arent any "conflicts", also when i had them in before for all the ports "type" was client since im not using a gateway. other option was gateway or both
ASKER
Web works fine! I dont get it
So are you saying that when the use the web client they work fine but when they use a different client i(like PN) it doesn't?
ASKER
yes, when they use the full client and not web plugin we get the error.
Ah that's because the Full Client also needs access to the XML service. If you plan on using a full client externally - you also should open your XML Port thought he firewall (and make sure it works via telnet to that server/port).
ASKER
Thanks for staying on top of this...
Port 85 is xml and it is open. I do get a response from port 85. Citrix WEB PN
Port 85 is xml and it is open. I do get a response from port 85. Citrix WEB PN
I've never attempted to direct connect from the internet into a private NAT'd LAN IP - I'm not sure if the traffic will be routed correctly back to the client, in theroy the altaddr feature on the server should handle that, but it's hard to say. Short of contacting Citrix the only other thing I can think of is to either turn off session reliablilty if it's on and see if that helps.
ASKER
ok im going to try the session reliability function. Also, browser is set for UDP....all my ports are tcp and I assume browser is used for finding applications on citrix server. Also, i have set this up before and you are correct, alt address did address the problem before. Will keep you posted. Thanks
Sounds good, just let me know if that helps.
ASKER
after upgrading to mr4 and installing latest patch for management console. the issue was resolved
ASKER