Citrix client works inside my network but not outside of it

I have setup a Citrix server behind my PIX 506.   From inside my network I can use the browser and get to the server 10.1.10.41 and the Citrix login will come up.   I login and the Application screen comes up fine.   I click on the Application (which is just Internet Explorer) and the Citrix Metaframe popup comes up and negotiates and then the IE browser window comes up.   This is all cool but..   I have setup an outside address for remote users to have access to the same login and application and I am able to type in the external address   70.66.186.31 and the Citrix login screen comes up fine.    After I login the Application screen comes up and then when I click on the Application (IE browser) the Citrix Metaframe comes up and says tne Metaframe server cannot be found.  Can someone help me find out what I am missing?

Here is the config for the PIX
Result of firewall command: "write terminal"
 
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd  encrypted
hostname CW-PIX
domain-name company-inc.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.5.0 IDC_NET
name 68.60.64.0 Fent_Colo_NET
name 70.70.116.35 FTP_Server
name 192.168.255.0 VPN_NET
name 192.168.254.0 PIX_VPN_NET
name 192.168.253.0 IDC_VPN_NET
name 189.76.132.67 SBC_contivity_1
name 189.76.132.68 SBC_contivity_2
name 10.1.10.0 Corp_NET
name 10.1.10.31 Mail_Server_real
name 10.1.10.37 FTP_Server_real
name 189.6.15.28 NTP_Server
name 70.70.116.34 pop3
object-group service Web-Server tcp
  description Web Server Services
  port-object eq www
  port-object eq https
object-group network WWWServers
  network-object pop3 255.255.255.255
  network-object FTP_Server 255.255.255.255
  network-object 70.66.186.31 255.255.255.255
object-group service FTP-Server tcp
  description FTP Server Services
  port-object range ftp-data ftp
  port-object eq ssh
object-group network FTPServers
  network-object FTP_Server 255.255.255.255
object-group service Mail-Server tcp
  description Mail Server Services
  port-object eq smtp
  port-object eq pop3
object-group service DNS-Server tcp-udp
  description DNS Service Group TCP & UDP
  port-object eq domain
object-group network WWWServers_real
  network-object Mail_Server_real 255.255.255.255
  network-object FTP_Server_real 255.255.255.255
  network-object 10.1.10.41 255.255.255.255
object-group network FTPServers_real
  network-object FTP_Server_real 255.255.255.255
object-group network ContivityClients
  network-object 70.70.116.36 255.255.255.255
  network-object 70.70.116.37 255.255.255.255
  network-object 70.70.116.38 255.255.255.255
  network-object 70.70.116.40 255.255.255.255
  network-object 70.70.116.41 255.255.255.255
  network-object 70.70.116.42 255.255.255.255
  network-object 70.70.116.43 255.255.255.255
  network-object 70.66.186.32 255.255.255.224
object-group network ContivityServers
  network-object SBC_contivity_1 255.255.255.255
  network-object SBC_contivity_2 255.255.255.255
object-group network ContivityClients_real
  network-object 10.1.11.14 255.255.255.255
  network-object 10.1.11.15 255.255.255.255
  network-object 10.1.11.16 255.255.255.255
  network-object 10.1.11.18 255.255.255.255
  network-object 10.1.11.19 255.255.255.255
  network-object 10.1.11.17 255.255.255.255
  network-object 10.1.11.20 255.255.255.255
  network-object 10.1.11.192 255.255.255.224
object-group network Verizon Networks
  network-object 158.195.70.0 255.255.255.0
  network-object 158.195.222.0 255.255.255.0
  network-object 158.195.223.0 255.255.255.0
  network-object 158.195.253.0 255.255.255.0
  network-object 192.168.2.0 255.255.255.0
  network-object 138.183.144.165 255.255.255.255
access-list outside_access_in permit tcp any object-group WWWServers object-group Web-Server
access-list outside_access_in permit tcp any host pop3 object-group Mail-Server
access-list outside_access_in permit esp object-group ContivityServers object-group ContivityClients
access-list outside_access_in permit ah object-group ContivityServers object-group ContivityClients
access-list outside_access_in permit udp object-group ContivityServers object-group ContivityClients eq isakmp
access-list outside_access_in permit tcp any object-group FTPServers object-group FTP-Server
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 70.66.186.31 eq citrix-ica
access-list outside_cryptomap_20 permit ip Corp_NET 255.255.254.0 PIX_VPN_NET 255.255.255.0
access-list nonat permit ip Corp_NET 255.255.254.0 PIX_VPN_NET 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console informational
logging buffered errors
logging trap informational
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 70.70.116.46 255.255.255.240
ip address inside 10.1.10.3 255.255.254.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool remoteuser 192.168.254.1-192.168.254.254
pdm location IDC_NET 255.255.255.0 inside
pdm location Mail_Server_real 255.255.255.255 inside
pdm location FTP_Server_real 255.255.255.255 inside
pdm location 10.1.11.14 255.255.255.255 inside
pdm location 10.1.11.15 255.255.255.255 inside
pdm location 10.1.11.16 255.255.255.255 inside
pdm location 10.1.11.17 255.255.255.255 inside
pdm location 10.1.11.18 255.255.255.255 inside
pdm location 10.1.11.19 255.255.255.255 inside
pdm location 10.1.11.20 255.255.255.255 inside
pdm location Fent_Colo_NET 255.255.255.0 outside
pdm location SBC_contivity_1 255.255.255.255 outside
pdm location SBC_contivity_2 255.255.255.255 outside
pdm location 10.1.11.192 255.255.255.224 inside
pdm location pop3 255.255.255.255 outside
pdm location 10.1.10.41 255.255.255.255 inside
pdm group ContivityServers outside
pdm group WWWServers_real inside
pdm group ContivityClients_real inside
pdm group FTPServers_real inside
pdm group WWWServers outside reference WWWServers_real
pdm group ContivityClients outside reference ContivityClients_real
pdm group FTPServers outside reference FTPServers_real
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 Corp_NET 255.255.254.0 0 0
static (inside,outside) 70.70.116.36 10.1.11.14 netmask 255.255.255.255 0 0
static (inside,outside) 70.70.116.37 10.1.11.15 netmask 255.255.255.255 0 0
static (inside,outside) 70.70.116.38 10.1.11.16 netmask 255.255.255.255 0 0
static (inside,outside) 70.70.116.40 10.1.11.18 netmask 255.255.255.255 0 0
static (inside,outside) 70.70.116.41 10.1.11.19 netmask 255.255.255.255 0 0
static (inside,outside) FTP_Server FTP_Server_real netmask 255.255.255.255 0 0
static (inside,outside) 70.70.116.42 10.1.11.17 netmask 255.255.255.255 0 0
static (inside,outside) 70.70.116.43 10.1.11.20 netmask 255.255.255.255 0 0
static (inside,outside) 70.66.186.32 10.1.11.192 netmask 255.255.255.224 0 0
static (inside,outside) pop3 Mail_Server_real netmask 255.255.255.255 0 0
static (inside,outside) 70.66.186.31 10.1.10.41 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.70.116.33 1
route inside IDC_NET 255.255.255.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
ntp server NTP_Server source outside
http server enable
http Corp_NET 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-sha esp-des esp-sha-hmac
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto dynamic-map remote 1000 set transform-set 3des-sha
crypto map dyn-map 65535 ipsec-isakmp dynamic remote
crypto map dyn-map client configuration address initiate
crypto map dyn-map client configuration address respond
crypto map dyn-map client token authentication LOCAL
crypto map dyn-map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash sha
isakmp policy 11 group 1
isakmp policy 11 lifetime 86400
isakmp policy 12 authentication pre-share
isakmp policy 12 encryption 3des
isakmp policy 12 hash md5
isakmp policy 12 group 1
isakmp policy 12 lifetime 86400
isakmp policy 13 authentication pre-share
isakmp policy 13 encryption des
isakmp policy 13 hash sha
isakmp policy 13 group 1
isakmp policy 13 lifetime 86400
isakmp policy 14 authentication pre-share
isakmp policy 14 encryption des
isakmp policy 14 hash md5
isakmp policy 14 group 1
isakmp policy 14 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash sha
isakmp policy 21 group 2
isakmp policy 21 lifetime 3600
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption 3des
isakmp policy 22 hash md5
isakmp policy 22 group 2
isakmp policy 22 lifetime 3600
isakmp policy 23 authentication pre-share
isakmp policy 23 encryption des
isakmp policy 23 hash sha
isakmp policy 23 group 2
isakmp policy 23 lifetime 3600
isakmp policy 24 authentication pre-share
isakmp policy 24 encryption des
isakmp policy 24 hash md5
isakmp policy 24 group 2
isakmp policy 24 lifetime 3600
vpngroup Watch address-pool remoteuser
vpngroup Watch dns-server 10.1.10.30
vpngroup Watch default-domain watch.lan
vpngroup Watch split-tunnel nonat
vpngroup Watch idle-time 1800
vpngroup Watch password ********
telnet IDC_NET 255.255.255.0 inside
telnet Corp_NET 255.255.254.0 inside
telnet timeout 5
ssh Fent_Colo_NET 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
patrickmillerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mgcITCommented:
Are you just using Web Interface, or also Secure Gateway?

To test to make sure this is your problem do this:
log into the Web Interface from the outside.  Right-click on the published app and choose "Save Target As..."  Save this file (launch.ica) to your desktop and then open with Notepad.  In this file you will have the IP Address of the server listed.  If this is the INTERNAL IP Address that is your problem... you need it to be an external IP Address.  If so follow these steps to correct it.

if just Web Interface you need to do this:

1. run the altaddr command on EACH of your Citrix Servers on the LAN and give them an alternate (external) IP Address.  Each server must have it's own External IP Address.

2. On your firewall open ports 1494, 80 (or whatever your XML Port is), and 2598 (if using session reliability) to each of the external IP Addresses you just set in step 1.

3. On your firewall NAT the external IP's set in step 1 to the internal IP's of each citrix server

4. In the Access Suite Console (the web interface admin utility) click Manage Secure Client Access > Edit DMZ Settings.  Set the default to "Alternate".  Also create additional rules for your internal connections so those still work.

5. Again in the Access Suite Console click Manage Secure Client Access > Edit Address Translations.  Enter in the appropriate IP Addresses you set up in Step 1.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BLipmanCommented:
For simplicity's sake you could first test with the Program Neighborhood and then move on to testing with the web interface (by following the excellent instructions above).  I like this because it removes variables from your problem.  From what you say, it certainly sounds like an alternate address is missing either from your system or from the WI config.  
0
tolsonkraCommented:
Is this entry in your PIX the only Server that has Citrix on it?

access-list outside_access_in permit tcp any host 70.66.186.31 eq citrix-ica

If not you will need to do an entry for each one.

This also shouldn't be your WI but the actual Citrix Servers.

One way to test if you have the Nating configured correctly would be to add this config line

access-list outside_access_in permit tcp any host 70.66.186.31 eq 3389

and then from the Outside trying to Remote Desktop to your address 70.66.186.31
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

patrickmillerAuthor Commented:
I added the following:
access-list outside_access_in permit tcp any host 70.66.186.31 eq citrix-ica

I was able to Remote Desktop into the server :
I tried to get into the server with citrix and got the following:
Bad Gateway!
The proxy server received an invalid response from an upstream server.

If you think this is a server error, please contact the webmaster.

Error 502
webclient.customerservices.com
04/10/06 09:49:14
Citrix XTE


0
tolsonkraCommented:
can you get to your site from the outside if you use your Public IP address

http://IPADDRESS/citrix/

0
patrickmillerAuthor Commented:
I get the same error.
0
tolsonkraCommented:
Are you using a Proxy Server?
0
patrickmillerAuthor Commented:
No.   I do have a Verisign license setup for the server and I accepted the license install on the external pc I was using to do the test.
0
tolsonkraCommented:
here is a post on Citrix Support

Overview

When Secure Gateway acts as a reverse proxy for Web Interface, the Web server must not be configured to require client certificates.

Symptoms

If IIS is configured to require client certificates, end users fail to reach a Web Interface site for which Secure Gateway is acting as a reverse proxy.

The IIS site, if accessed directly with the assigned SSL port of IIS, successfully appears on-screen with a prompt for a client certificate. Thus, IIS is confirmed to still be functioning.

When attempting to visit the site via Secure Gateway, end users see the following error:

Bad Gateway!
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /Citrix/MetaFrame
Reason: Error reading from remote server.
If you think this is a server error, please contact the webmaster

Error 502

server.fqdn
01/05/06 12:28 PM
Citrix XTE

The Secure Gateway event log reports the following pair of events whenever the issue behavior occurs:

Event ID: 145
Source: Secure Gateway
Category: PROXY
Description:
Failed to read status line from server server.fqdn

Event ID: 150
Source: Secure Gateway
Category: PROXY
Description:
Failed to handle the proxy request.

Cause

This is an unsupported configuration. Secure Gateway does not support client certificate checking during the SSL handshake, nor does it support TCP tunneling so that the user's HTTPS stream reaches the Web server unaltered.

This condition is true for Web Interface sites present on IIS servers that are manually configured to require client certificates, and this condition is also true for Web Interface sites that are configured to use Smart Card authentication in any capacity.

Resolution

To use certificate authentication with a Web Interface server, the Web server must run parallel to Secure Gateway.

More Information

0
tolsonkraCommented:
Also take a look at this on Citrix it explains SG better

http://support.citrix.com/article/entry.jspa?entryID=6778
0
mgcITCommented:
patrickmiller:

did you see the steps I posted back on 4/6?  You never responded on whether or not you have looked at those items.
0
patrickmillerAuthor Commented:
1. run the altaddr command on EACH of your Citrix Servers on the LAN and give them an alternate (external) IP Address.  Each server must have it's own External IP Address.

This has been done.  There is only one server

2. On your firewall open ports 1494, 80 (or whatever your XML Port is), and 2598 (if using session reliability) to each of the external IP Addresses you just set in step 1.

This has been done.

3. On your firewall NAT the external IP's set in step 1 to the internal IP's of each citrix server

This has been done.

4. In the Access Suite Console (the web interface admin utility) click Manage Secure Client Access > Edit DMZ Settings.  Set the default to "Alternate".  Also create additional rules for your internal connections so those still work.
I am having trouble with this because I am not sure if I ran the Discovery process properly.   When it asked for a configuration server I gave it the Internal server name.

Is this supposed to be done on the External or Internal site under the Web interface?


5. Again in the Access Suite Console click Manage Secure Client Access > Edit Address Translations.  Enter in the appropriate IP Addresses you set up in Step 1.

Waiting on the answer on 4.

0
mgcITCommented:
it's best to run the Access Suite Console directly from your Web Interface Server.  You mitght get RPC warnings this way when you try to disconver your PS farm but that's ok... You only want to configure your Web Interface from here, not your farm.  You can always install the Access Suite Console on your actual citrix server if you want to use it to configure that.

If you are doing that, when asked about the configuration server just tell it not to look for any configuration servers (basically that the server you are currenly on (the web interface server) is the server that will hold the config information.
0
patrickmillerAuthor Commented:
When I look at the Web Interface site it shows
External site - http://localservername.lan:8080/CitrixAccess
Internal site - https://webclient.myserver.com/CitrixAccess

This looks backwards.  
I am able to connect to th eaddress http://localservername.lan:8080/CitrixAccess internally and everything works fine.  

When get outside and connect to the https://webclient.myserver.com/CitrixAccess : I am able to login and then when I run the application I receive the failure when it tries to connect to with the Client access to the server saying that it cannot find the server.   I look at the Application shortcut with Notepad and it shows my Internal IP address, which will not work from the outside access.   How did I get this backwards and is my assumption correct?
0
mgcITCommented:
>> 4. In the Access Suite Console (the web interface admin utility) click Manage Secure Client Access > Edit DMZ Settings.  Set the default to "Alternate".

ok this is the key here:

post back all rules you have configured here and specify which is your default

(hint): remove everything and set "Alternate" as the default - so you only have this 1 rule.

then try again from the outside using the external ip address
0
patrickmillerAuthor Commented:
Under the Web Interface I have the External Site and the Internal Site.   Which am I working with?
0
mgcITCommented:
ok this opens up a whole new can of worms then... please explain why you have more than one site.
0
patrickmillerAuthor Commented:
This is the first time I have used Access Essentials.  I just reinstalled it and I ran the Discover option and I ended up with and External Site and the Internal Site.
0
mgcITCommented:
ok then it's just finding more than one site in IIS.  Are you able to delete the sites you currently have in IIS and start over? if you haven't made any customizations and there isn't anyone using the site yet it should be fine.  

Otherwise it shouldn't matter:

you said you're able to do this: https://webclient.myserver.com/CitrixAccess from the outside

from this site in the admin console do what I said and change the default connectoin method to alternate and try from the outside
0
patrickmillerAuthor Commented:

I removed IIS and reinstalled IIS and then reinstalled Access Essentials.   Under the websites on IIS I found Citrix and Citrix Access under the Default Website.  I also found Citrix Acess Essentials External Site with Citrix Access under that.    When I run rediscovery again I think I will find two sites under Web Interface.

At one point in the Discovery option comes up with Contact the following Web interface configuration servers or Do not contact any web interface configuration servers.   I chose the default and entered the Internal server name for the configuration server.

When I am in Metaframe Presentaion Server Admin it shows Enternal Site and Internal Site under Web Interface.

When I Click on Edit DMZ settings (External Site) I have Client Address set to Default and Access method set to Alternate  
I have added the Internal 10.1.10.41 1494 External 70.66.186.31 1494
                                      10.1.10.41 443 External 70.66.186.31 443


When I Click on Edit DMZ settings (Internal Site) I have Client Address set to Default and Access method set to Direct
I have added the Internal 10.1.10.41 1494 External 70.66.186.31 1494
                                      10.1.10.41 443 External 70.66.186.31 443



I Clicked on Manager Remote Access and Enabled Remote Access using Access essentials only and then pointed our the site to our Certificate.


When I attempt to access the Server through the browser:
The Certificate is used and then this error comes up (either inside or Outside) and I get this error.
Bad Gateway!
The proxy server received an invalid response from an upstream server.

If you think this is a server error, please contact the webmaster.

Error 502
citrixserver
04/11/06 15:02:22
Citrix XTE

What am I doing wrong?  I thought I had to have a certificate for the Remote access to work..

I was able to get into the Citrix server via RDP from Outside and Inside via Citrix Program Neborhood

 
0
mgcITCommented:
ok I'm not sure why you have two sites... it may have something to do with Access Essentials but I am not sure because I have never seen that version/package.

where are you setting this? Under "Edit DMZ settings" or "Edit Address Translations"?

10.1.10.41 1494 External 70.66.186.31 1494
10.1.10.41 443 External 70.66.186.31 443

and what is 70.66.186.31?  Is that the external IP address of your Web Interface or your citrix server?  Or is this all on one server (again sorry but I have not seen how Access Essentials is configured so it may be different than the standard).

0
patrickmillerAuthor Commented:
I uninstalled the two sites from under Web Interface and removed the Citrix Essentials Web site under IIS and then reran the setup.   The install put the 2 sites back under Web Int. and I am fine with that now.   Everything was working again except I could run apps from the remote site.    After making the change you requested on the External to default to Alternate and assigning the altaddr for the external address (again, removing IIS earlier reset it to NONE) It all started working again.  

Thank you for your help.  
0
mgcITCommented:
good.. glad you got it working finally.  I'll have to read up on how Access Essentials is configured so I'll know more next time.  It sounds like it is a little bit different than the normal web interface setup.  Thanks for the points and the 'A'!
0
patrickmillerAuthor Commented:
Next I want to learn how to use the Secure Gateway for this product so I can secure it a little tighter.

0
mgcITCommented:
well I just read the admin guide and it says you can do it so when you get to that point just post another question and I'm sure we can figure it out.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.