stamperb
asked on
Web Interface "There is no Citrix Metaframe server configured on the subnet"
Internally things work fine. Externally they get the error above. I know exactly whats wrong here but can't find the answer anywhere!!
My citrix servers are on my LAN behind my firewall.
My web interface server is on my lan behind my firewall as well.
The client is getting the launch.ica which contains a https:// connection to the local ip address rather than the external ip address of my fireall that i have port forwarded through.
I don't have CSG, I don't have Access gateway. Does anyone know how i get the web interface to hand off the ica connection with the right properties? I've looked all over the management and all over the web but haven't had any luck?
Thanks,
My citrix servers are on my LAN behind my firewall.
My web interface server is on my lan behind my firewall as well.
The client is getting the launch.ica which contains a https:// connection to the local ip address rather than the external ip address of my fireall that i have port forwarded through.
I don't have CSG, I don't have Access gateway. Does anyone know how i get the web interface to hand off the ica connection with the right properties? I've looked all over the management and all over the web but haven't had any luck?
Thanks,
ASKER
OK I feel i'm on the right track here. So i've set up the following DMZ Settings:
Default - Alternate
172.16.0.0/20 - Direct
172.16.0.0/20 is my LAN.
Now from ouside i get an error right away when i try to connect at the bottom of the login screen that says:
ERROR An error has occured while connecting to the requested resource.
Do i have to setup any address translations?
Here is some more detail:
Internet -> Firewall -> Internal Router -> Web interface (172.16.0.10)
|
|-> Citrix Servers 10.11.34.2, 10.11.34.3, 10.11.34.4
I have port 443 forwarded thru to 172.16.0.10 on the lan for my Web Interface.
Default - Alternate
172.16.0.0/20 - Direct
172.16.0.0/20 is my LAN.
Now from ouside i get an error right away when i try to connect at the bottom of the login screen that says:
ERROR An error has occured while connecting to the requested resource.
Do i have to setup any address translations?
Here is some more detail:
Internet -> Firewall -> Internal Router -> Web interface (172.16.0.10)
|
|-> Citrix Servers 10.11.34.2, 10.11.34.3, 10.11.34.4
I have port 443 forwarded thru to 172.16.0.10 on the lan for my Web Interface.
first of all what is the "/20".. I'm not familiar with that >> 172.16.0.0/20
secondly here's the steps you will need to take in order to have access externally:
1. set up an alternate address using the "altaddr" command on EACH of your PS 4.0 servers
2. set up the NAT in the firewall to point the external addresses (set up in step 1) to the internal IP Addresses of EACH of your citrix servers
3. open ports 1494, 80 (or whatever your xml port is), and 2598 (if using session reliability) on the firewall for EACH of the IP addresses
since you are not using Secure Gateway you need these ports open. It won't just pass through the web interface on 443. if you want to skip all that you can install SG.
secondly here's the steps you will need to take in order to have access externally:
1. set up an alternate address using the "altaddr" command on EACH of your PS 4.0 servers
2. set up the NAT in the firewall to point the external addresses (set up in step 1) to the internal IP Addresses of EACH of your citrix servers
3. open ports 1494, 80 (or whatever your xml port is), and 2598 (if using session reliability) on the firewall for EACH of the IP addresses
since you are not using Secure Gateway you need these ports open. It won't just pass through the web interface on 443. if you want to skip all that you can install SG.
ASKER
OK understandable. Next question then. Isn't doing what you said above pretty unsecure? I mean nothing is encrypted? Correct?
Thanks,
Thanks,
and sorry one more thing yes you have to set up address translations using the admin console:
Manage secure client access > Edit Address Translations
these are the same IP translations as step 1 & 2 above
Manage secure client access > Edit Address Translations
these are the same IP translations as step 1 & 2 above
>> Isn't doing what you said above pretty unsecure?
Although you can turn on encryption from the ICA Client / Citrix Farm yes I think it is. I would strongly suggest installing Secure Gateway (by the way what version of citrix are you running?). The first time you set up Secure Gateway it is a real pain and can be confusing but once you do it ( I suggest in a test environment first) it becomes pretty easy. That will give you the most security - everything will go over port 443 and you won't need to open all the ports on the firewall.
Although you can turn on encryption from the ICA Client / Citrix Farm yes I think it is. I would strongly suggest installing Secure Gateway (by the way what version of citrix are you running?). The first time you set up Secure Gateway it is a real pain and can be confusing but once you do it ( I suggest in a test environment first) it becomes pretty easy. That will give you the most security - everything will go over port 443 and you won't need to open all the ports on the firewall.
ASKER
Very good thats what i'm after anyway!!! I'm on a brand new farm w/ Presentation server 4.0.
Here is a what would you do for ya!!
I have 3 citrix servers. I have my Web Interface Server. How would you reccomend setting this up? See i'm short a server for a CSG box. I really don't wanna go back up asking for another 3K or something for this server i forgot about cause i didn't plan my deployment well enough? Could it be done w/ just the 3? Do i need the web Interface server if I use CSG (I'm assuming yes?).
THanks,
Brian
Here is a what would you do for ya!!
I have 3 citrix servers. I have my Web Interface Server. How would you reccomend setting this up? See i'm short a server for a CSG box. I really don't wanna go back up asking for another 3K or something for this server i forgot about cause i didn't plan my deployment well enough? Could it be done w/ just the 3? Do i need the web Interface server if I use CSG (I'm assuming yes?).
THanks,
Brian
ASKER
Can csg and web interface possibly run on the same box? Just another thought. I'm trying to figure a way to make it work in the already purchased environment i have :-)
yes it can be on the same box
Here is the Admin guide: http://support.citrix.com/article/CTX106300
You'll probably want to go with a single-hop dmz method as that is the easiest to configure and requires less hardware. Once you have downloaded the SG 3.0 install files from mycitrix.com let me know and I can help you through the install.
You'll probably want to go with a single-hop dmz method as that is the easiest to configure and requires less hardware. Once you have downloaded the SG 3.0 install files from mycitrix.com let me know and I can help you through the install.
ASKER
OK so a few questions:
I have my ssl cert on the current box for the web interface.
I installed the csg portion of things. Changed the SSL Port that IIS uses to 444 since CSG config was complaining about it being in use. Then came to the STA part. According to the directions of the setup i point this at my Presentation server 4.0? Now its looking for that /Scripts/CtxSTA.dll. Well IIS isn't even installed on my citrix box so i'm thinking somethings not right there.
That CtxSTA.dll exists in C:\program files\citrix\system32 on my presentation server but i'm still not thinkin thats right?
So is there something i need to do to install the STA on my presentation server?
I have my ssl cert on the current box for the web interface.
I installed the csg portion of things. Changed the SSL Port that IIS uses to 444 since CSG config was complaining about it being in use. Then came to the STA part. According to the directions of the setup i point this at my Presentation server 4.0? Now its looking for that /Scripts/CtxSTA.dll. Well IIS isn't even installed on my citrix box so i'm thinking somethings not right there.
That CtxSTA.dll exists in C:\program files\citrix\system32 on my presentation server but i'm still not thinkin thats right?
So is there something i need to do to install the STA on my presentation server?
short answer: NO
STA is automatically installed now when you install PS 4.0. And it won't use IIS so you don't need to configure that either. The main thing you need to worry about is the name & port of the STA servers. If your XML port is 80 then you don't need to worry about it but if not make sure to change it.
In the Web interface admin page you have to specify the STA servers as well. Again if the XML port is 80 just specify the FQDN name of your servers. Otherwise specify it like this:
server.myloc.hq:8080 (for example if your XML port is 8080).
STA is automatically installed now when you install PS 4.0. And it won't use IIS so you don't need to configure that either. The main thing you need to worry about is the name & port of the STA servers. If your XML port is 80 then you don't need to worry about it but if not make sure to change it.
In the Web interface admin page you have to specify the STA servers as well. Again if the XML port is 80 just specify the FQDN name of your servers. Otherwise specify it like this:
server.myloc.hq:8080 (for example if your XML port is 8080).
I read that back and it sounded a little confusing so hopefully this will clear it up if you were confused.
When configuring Secure Gateway it will ask for you STA servers. Specify the FQDN name of all your PS 4.0 servers and also specify your XML port if it is something other than 80.
After that you will also need to specify the STA servers in the Web Interface Admin console. To do that click Manage Secure Client access > Edit Secure Gateway Settings. On this screen type in the FQDN name of your server and also specify the XML port if it's something other than 80. So it will look like this:
http://server.myloc.hq:8080/scripts/ctxsta.dll
or just:
http://server.myloc.hq/scripts/ctxsta.dll if your XML port is 80 (the default)
When configuring Secure Gateway it will ask for you STA servers. Specify the FQDN name of all your PS 4.0 servers and also specify your XML port if it is something other than 80.
After that you will also need to specify the STA servers in the Web Interface Admin console. To do that click Manage Secure Client access > Edit Secure Gateway Settings. On this screen type in the FQDN name of your server and also specify the XML port if it's something other than 80. So it will look like this:
http://server.myloc.hq:8080/scripts/ctxsta.dll
or just:
http://server.myloc.hq/scripts/ctxsta.dll if your XML port is 80 (the default)
ASKER
OK my problem is when doing the STA for the CSG stuff.
When I put in the FQDN of the PS 4.0 Server I get the error:
The secure ticket authority can not be contacted.
To ignore the warning and enter the ID click continue.
If i click continue the ID field opens up but I don't know what to put there?
When I put in the FQDN of the PS 4.0 Server I get the error:
The secure ticket authority can not be contacted.
To ignore the warning and enter the ID click continue.
If i click continue the ID field opens up but I don't know what to put there?
yea it should put the ID in automatically.
Are the servers on the same LAN?
Can you ping that FQDN from the Secure Gateway server?
are you checking the box that says "Secure traffic between..."? If so uncheck this and just specify your normal XML port.
Are the servers on the same LAN?
Can you ping that FQDN from the Secure Gateway server?
are you checking the box that says "Secure traffic between..."? If so uncheck this and just specify your normal XML port.
ASKER
They are on diff. subnets but yes on the same lan. I can ping FQDN. However i have 3 servers and the 3rd one put the id in and went fine. Now i am getting errors in my event log about not being able to communicate w/ the config service on my first server. I'm going to give them a reboot and see if that helps.
ASKER
OK now back to step 1. When i go to connect i get to the page, get logged in, click to lauch my connection to the published desktop and get the error there is no citrix metaframe server configured on the specified address?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I thought of that but every time I try to change it it says it lost contact to the server. So i think maybe i have a problem w/ something on one of the PS 4.0 servers? It wouldn't even let me remove the site to re-add it.
does your site have a local configuration or centralized?
To see this click Local Site Tasks > Manage configuration source
or maybe it's just because you were rebooting your citrix servers and they haven't come back online yet.
To see this click Local Site Tasks > Manage configuration source
or maybe it's just because you were rebooting your citrix servers and they haven't come back online yet.
ASKER
Its centralized. I'm gonna do some work on it now. See what i can come up with
ASKER
So i've got things going now. I'm not sure what caused all that but something w/ the setup stuff. Had to run configure for just each server individually and remove the config. Anyway back to being good now.
So in the address translation stuff. I need to set translation for the Secure gateway but what IP do I use for the LAN? The PS 4.0 addresses? or the Web Interface address? And then for the external do i put the external IP for my internet connection?
Thanks,
So in the address translation stuff. I need to set translation for the Secure gateway but what IP do I use for the LAN? The PS 4.0 addresses? or the Web Interface address? And then for the external do i put the external IP for my internet connection?
Thanks,
ASKER
Also what port external and what port internal for the translation?
well actually you probably don't need that now. Is your WI / SG server on the same subnet as the rest of your farm?
If so you can change the default access method to Secure Gateway Direct. Then you can get rid of all your address translations because it will just be using the internal addresses.
If so you can change the default access method to Secure Gateway Direct. Then you can get rid of all your address translations because it will just be using the internal addresses.
ASKER
THANKS SO MUCH!! I'VE GOT THIS ALL GOING!!
for your site click Manage secure client access > Edit DMZ Settings
Your default connection is probably set as "Direct"
The best way to set this up is to set the default to "Alternate" and then add additional rules for your internal LAN such as:
Client IP Address: 192.168.1.0 (or whatever your internal subnet is)
Mask: 255.255.255.0
Access Method: Direct
This way anyone coming from the outside will use the alternate addressing you have set up. However, if they go to the web interface using the internal address, it will just use the normal Direct access.