[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ICA Files and mulitple sessions

Posted on 2006-05-08
13
Medium Priority
?
1,485 Views
Last Modified: 2010-05-18
Hi,

I'm running Presentation Server 4.0 on a Windows 2003 Server machine.  The farm consitsts of just the one server.  The server is behind a firewall and is accessed via a public IP address that is mapped to the servers private IP address using port forwarding.  Ports 80 and 1494 are forwarded.  As a result, to access the machine externally I've used the command line to set an alternate address.  

I've had problems getting this to work with the citrix website but have found that if I create a .ica file and change the address to that of the private one, it works.  Therefore, all that needs to be done is create a .ica file for an app, make the modification and copy it to somewhere on the published path ie:

http://server/ica/app.ica

This works.  Now for the problem.  For some reason, every time you click a .ica, you are presented with a logon box and a new ICA session is created.  This happens whether you click the same application a second time or open two different applications.  It happens both internally and externally (Using a .ica file without the IP address modified).

This would be fine if each user only needed to run a single app, but there will be cases when a person needs many which will result in many many ICA sessions being create, not to mention the annoyance of the constant logon prompts!

If anyone could offer assistance I'd be most appreciative!

Thanks very much for reading,
Simon
0
Comment
Question by:sbhodge
  • 7
  • 3
  • 2
12 Comments
 
LVL 5

Assisted Solution

by:centrepc
centrepc earned 500 total points
ID: 16630023
We need to address the problems you are having with the web interface instead of trying to use a work around that isn't  feasable for the end user.  

What is happeining when trying to run the from web interface.  There are probably just a couple of settings in the web interface that need to be set correctly.

Have you tried running published applications from the ICA Client.  
0
 

Author Comment

by:sbhodge
ID: 16639276
Hi,

Firstly thanks very much for answering and appologies for not getting back to you sooner.

I have tried to access applications through the web interface which works fine when done from a machine on the local network.  When accessed from a remote machine and thus through the firewall, I am able to log in and select an application to run.  Its at that point that the problem occures.  The "Connection in progress..." box appears but after about 30 seconds give the error:

Cannot connect to the Citrix MetaFRame server.
There is no route to the specified subnet address

During this time I have issued the netstat command which shows a connection to the public ip address on port 80 (Ie accessing the website) in state Established and a second connection to the machines private IP address (10.X.X.X which obviously isn't reachable) on port 1494 in state Syn_sent.

Thats what led me to the conclusion that Citrix server is giving out the wrong address.  It was when searching for that problem that I came accross the idea of saving the .ica file and modifying the address.

Once again, thanks for your help with this and I look forward to hearing your views and idea.

Thanks
Simon
0
 
LVL 5

Expert Comment

by:centrepc
ID: 16639583
If you are sure you have the alternate address command configured correctly you just need to make sure in the Citrix web interface admin that you are telling it to use the alt address.  It is just a check box in the server properties.  If you need more specifics I can find a link on how to configure web interface behind nat on citrix's web site for you.  



0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 19

Expert Comment

by:BLipman
ID: 16645524
Try going into the Access Suite Console, find your WI site, go to Manage Secure Client Access, and then into DMZ settings.  From here you want to set the Default connection to Alternate; add your local subnet and set it to Direct.  This way every connection is passed your alternate unless connecting locally.  

It should look something like this for a 192.168.1.0 network with a 255.255.255.0 net mask

Client Ip Address        Mask                        Access Method

Default                                                      Alternate
192.168.1.0                255.255.255.0          Direct

You can add in multiple subnets if you need.  The other way to go is to put in your firewall's internal interface and set that to Alternate; then set Default to Direct and that will cover your internal connections.  
0
 

Author Comment

by:sbhodge
ID: 16646787
Hi,

Thanks for the ideas.  I feel I'm making progress but am not quite there!  It could be as centrepc mentioned, that perhaps I don't have the alternate address registered properly.

Blipman, as you suggest, I navigated through to the DMZ settings and changed them to reflect what you've writen (The default method being Alternate and adding our subnet for direct).  I've previously set the alternate address using the altaddr command.  If I type altaddr now, it gives:

Local Address               Alternate Address
Default                         A.B.C.D

(Where A.B.C.D represents the public IP address).

I'm still getting the same problem in that trying to launch an app times out and running netstat reveals it is still looking for the internal address.

Once again, your advice is most appreciated!  If you need me to provide any more outputs just let me know.

Simon
0
 

Author Comment

by:sbhodge
ID: 16647019
Hi,

Just one other thing that may be helpful.  I chose 'save as' on one of the applications and then looked at the .ica file it created in notepad.  It has the line:

Address=10.20.0.16:1494

Therefore, for some reason, it is definately still trying to use the internal / direct address rather than the external / alternate address.  Damn it!

Simon
0
 
LVL 19

Accepted Solution

by:
BLipman earned 500 total points
ID: 16648817
Well, you can test the process by setting it to Default = Alternate and nothing else.  If this works then add a Direct entry and see if it breaks.  
0
 

Author Comment

by:sbhodge
ID: 16649086
Strangely that idea had occured to me but I went into robot mode and started thinking I was unable of independant thought so better wait until told to do something!

Taking out the subnet line so the DMZ settings are default = alternative does indeed allow the remote machine to connect.  I again looked at the .ica file and it now reads Address=<our public address>.

Hurrah!

The only problem is that of course now the internal machines can't connect.  I added the subnet back in on the off chance that it magically will work this time but alas, the same problem comes back in that it now just replies with the internal address, even to the remote machines.  This is what the DMZ settings look like:

Client IP            Mask            Access Method
Default                                 Alternate
10.0.0.0            255.0.0.0      Direct

One thing has occured to me.  Because I'm going through a firewall that is doing NAT, when the requests reach the Citrix server, they will have come from the internal side of the firewall, and thus may have the firewalls IP address which would be on the internal subnet.  Do you think this could be a problem?  PErhaps I need to put another entry in, something like

10.0.0.1      255.255.255.255     Alternate

Do you think this could be the problem or am I barking up the wrong tree?

Thanks
Simon
0
 

Author Comment

by:sbhodge
ID: 16649251
Hi,

I've done a bit more testing.  I think I was barking up the wrong tree with the NAT causing the request to appear as being from an internal address.  The reason I think this is that will just the default = alternate config on, after making a connection from a remote machine I did netstat -a.  this showed a connection from the servers local ip address on port 1494 to the public ip address of the machine I connected from on port 1381.  Doing netstat on the local machine (Which is just a laptop I've removed from the network and dialed an unrelated ISP using its analogue modem) showed the corresponding local / remote addresses.

Therefore, the request is arriving at the Citrix server as being from a public address (80.x.y.x) so why adding the 10.0.0.0 / 255.0.0.0 / direct rule is causing this machine to be given the direct address rather than the alternate address is a mystery to me.  I'll do some more tests, but any further advice is most welcome!

Thanks
Simon
0
 

Author Comment

by:sbhodge
ID: 16649575
Hi,

I've done some more testing and perhaps I wasn't so far off with my earlier thought.  This is what I've descovered.

Our firewall has an internal address of 10.1.0.20.  The Citrix server is on a different subnet and has an internal address of 10.20.0.16.

Default / Alternate

This works fine for external machines but not for internal machines

Default / Alternate
10.0.0.0 / 255.0.0.0 Direct

Fine for internal machines, but external ones also get given the private ip.

Default / Alternate
10.20.0.0 / 255.255.0.0 Direct

Fine for external machines and those on the 10.20.0.0 subnet (With the citrix server) but machines on 10.1.0.0 (with the router) are treated as external.

Default / Alternate
10.1.0.20 / 255.255.255.255 Alternate
10.1.0.0 / 255.255.0.0 Direct

Machines on 10.1.0.0 now correctly get the direct address, but so do external ones.

Default / Alternate
10.1.0.20 / 255.255.255.255 Alternate
10.1.0.21 / 255.255.255.255 Direct

Remote machines get the external address (Since the firewalls internal IP is set to Alternate) and machine 10.1.0.21 gets a direct address.

From this, I've drawn the conclusion that the problem is its not stopping at the first entry that matches.  ie, with:

Default / Alternate
10.1.0.20 / 255.255.255.255 Alternate
10.1.0.0 / 255.255.0.0 Direct

The remote machines still got a direct ip because they come via the firewall which matches the second rule, and thus should get an Alternate ip, but then carries on down and also matches the third rule as this applies to the entire subnet the router is on, and so ends up being given the direct ip.

I then had a brain wave.

I reversed them so:

Default / Alternate
10.1.0.0 / 255.255.0.0 Direct
10.1.0.20 / 255.255.255.255 Alternate

As a result, machines on 10.1.0.0, such as 10.1.0.21, come alone and match rule two.  They don't match rule three as this applies to the firewall excplicitly.  As a result they get a direct ip and sure enough testing shows they do.  Remote machines come in via the firewall.  This matches rule two as well.  However, it also matches rule three which then replaces the result of rule two and gives them the alternate address.  Sure enough, testing shows this to be true.

I then went to:

Default / Alternate
10.0.0.0 / 255.0.0.0 Direct
10.1.0.20 / 255.255.255.255 Alternate

This allows machines on the 10.20.0.0 subnet to get the direct ip too.  Presumably, although I haven't tested it yet, but it will also allow machines on 10.2.0.0, 10.3.0.0 etc.

Incase you are wondering, the reason for the Class A network is that we operate a WAN.  The firewall is at head office on 10.1.0.0 and each branch office has the next Class B up, ie, 10.2.0.0.  The office the Citrix server is in is 10.20.0.0 hence the need for the port forwarding and NAT since only the head office has a DMZ.

I'll do some more testing and check I haven't jumped to the wrong conclusion.  I'd also be most interested to get your opinions on this.

Simon
0
 
LVL 19

Expert Comment

by:BLipman
ID: 16652239
Wow, I see where you are getting 'complications' but I think you pretty much hit the nail on the head.  Would you post your results?  I am interested to see if this fixes things.  
0
 

Author Comment

by:sbhodge
ID: 16815031
Hi,

Appologies for not returning sooner - I confess it had slipped me mind.

I would like to say that the advice offered by both experts was integral to finding the solution and so will split the points evenly.

Thanks to both of you for your help,
Simon
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #XenDesktop #POC #Proof-of-concept
Citrix XenDesktop 7.6 Citrix Policies Audio
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question