We help IT Professionals succeed at work.

External access to Citrix Server through ISA 2004

971 Views
Last Modified: 2012-05-05
After rebuilding our ISA server 2004 I am unable to access our citrix server. No changes have been made to the citrix server and all firewall rules have been created to match what was on ISA 2004 before I moved it from W2k to W2k3. I can reach the citrix server from our internal lan using the server netbios name and domain. However from outside our LAN (my home network) using Internet Explorer I can not reach the citrix server.

This is the error I received
"page cannot be displayed" - problem with page u r trying to reach

Current Setup:
Citrix Metaframe 4.0 runs on Windows 2000 TS server
TS licensing server is windows 2003 running on dc
FW is ISA2004 on Windows 2003
Ports opened are 8080, 80, 443, 1494 in and out
XML service is pointed to port 8080
Site can be accessed internally from servername.domain.com/citrix/metaframe an all programs load fine
Comment
Watch Question

Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Commented:
The SSL Tunneling is key; you need to leave Secure Gateway's SSL untouched for it to be happy.  That and the tranlation rule that allows the proper ports through.  Here is some testing:
--Direct ICA: telnet from the outside of your network to the URL (try the IP if that fails) on port 1494; you should get the ICA sounder "ICA ICA ICA".  If you don't then you know 1494-tcp is not coming through.  On the other hand, you don't need this port if you are using the SG.
--Direct Web

Commented:
I posted prematurely above...continuing...

--Direct Web Interface: If your WI and SG are configured to allow this you should be able to contact the WI on port 80; do you get to the sign on page?
--Secure Gateway: assuming you are using this and not just putting SSL on the WI page (its free, why wouldn't you use it?).  Try to get to the page on port 443 (https://).  

Please let us know what is and is not working and we can proceed.  

Author

Commented:
Citrix server was setup before I started with this company and I am not very familiar with the way it works. I can telnet from an external address to URL on port 1494 and receive ICA. How can I check to see if Secure Gateway is being used? I can get to the address from internally using the servername.domain.com/citrix/metaframe.

Commented:
The fact that you have 1494 open would lead me to believe you are not using secure gw but you can check in the Access Suite Console, in the DMZ Settings, let us know what entries are in there.  If all you have is Secure Gateway Direct then that should tell us how the system is configured.  There are tons of ways this can be configured.  
Also, check the Start Menu, look for the Secure Gateway product.  There is a program that allows you to monitor connections via SG.  

Do you get the logon screen for the Web Interface when you hit the URL in your web browser?

Author

Commented:
Here is the error I get when trying to access the page from an external ip

 The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

--------------------------------------------------------------------------------

Please try the following:
Click the  Refresh button, or try again later.

If you typed the page address in the Address bar, make sure that it is spelled correctly.

To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
See if your Internet connection settings are being detected. You can set Microsoft Windows to examine your network and automatically discover network connection settings (if your network administrator has enabled this setting).
Click the Tools menu, and then click Internet Options.
On the Connections tab, click LAN Settings.
Select Automatically detect settings, and then click OK.
Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the  Back button to try another link.


Cannot find server or DNS Error
Internet Explorer  

Author

Commented:
DMZ settings i have the following.

Default -- Alternate
192.168.1.0 255.255.255.0 Direct

Author

Commented:
Secure Gateway settings shows

FQDN = servername.wealthmgmt.com
Secure Gateway Port = 443
Bypass Duration = 3600
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Commented:
Oh, and one minor thing, make sure your IIS site has its SSL set to 444; 443 needs to be owned by SG.  

Author

Commented:
How to I check/Change the SSL for IIS site?

I have changed the default setting to Secure Gateway Direct. Should the Secure Gateway FQDN be the servername.domain.com or the sitename.domain.com?

Commented:
It should match the name on your SSL Cert and also the URL from which users access it.  You can check the SSL port by going into IIS, looking at each web site there (bound to the IP that SG uses) and look in the properties.  

Author

Commented:
Clients only access via the website typically externally. I am the only one that access internally and that is generally via the WI.

Author

Commented:
I see the port 443 for SSL under properties for the default site but not for any other site. Citrix is under the default site tree. However I can not see any way to change this setting to a different port number.

Author

Commented:
I checked the previous settings that were documented for our citrix server and we never used the SG in the past the settings were just as stated above Default Alternate followed by direct for internal. Is it possible that the site needs to be rebuilt and if so how do I do that.

Commented:
Not rebuilt, just tweaked a bit; I am at TechEd and cannot go into depth at the moment.  I can say that you will want to check your IIS and document what sites you have and what IPs they use.  Then, plan to change the one that is on the same IP as SG to use 444.  You may need to run SG setup again but that is pretty simple and can be done a few times until all is right.  You will need to play around in Access Management Console a bit too since your DMZ settings are set to make external users come in via the Program Neighborhood and not the SG.  

Author

Commented:
Ok I have gotten the web interface up. We do not use secure gateway just the alternative address running through port 1494. I can logon to the server just fine but when I try to launch any application I get the following error.

Cannot connect to the Citrix Presentation Server. There is no Citrix Presentation Server Configured on the specified address.

I have right clicked and saved the launch.ica and then opened with notepad. Below is the text from that.,

[Encoding]
InputEncoding=ISO8859_1

[WFClient]
ClientName=WEALT-<USERNAME>-ppzjl
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Microsoft Outlook=

[Microsoft Outlook]
Address=<internal ip address of server>:1494
AutologonAllowed=ON
ClearPassword=2D3542DEBDC472
ClientAudio=Off
DesiredColor=2
Domain=\C803ED2AB5547470
InitialProgram=#Microsoft Outlook
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
SSLEnable=Off
ScreenPercent=85
SessionsharingKey=2-basic-none-<domain.com>-<username>-<farm>
TWIMode=On
TransportDriver=TCP/IP
Username=petersoj
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

Any help on what the issue could be that would prevent the application from launching.

Author

Commented:
Ok I now have the problem solved. The issue was with the way I had published the Citrix server within ISA 2004. Please be advised that NO ONE stated that citrix could not be published as a web server which would be the logical choice for me not being that familiar with citrix but that it must be published as a regular server that hands out services. ONce I found this out by searching for over 2 wks on the internet and changed the way the server was published. For more information search google for the following document which greatly explains publishing citrix with different proxy firewalls
Citrix Technical Support - Brief Troubleshooting Guide.PDF
Thank you to all that helped.
i am ubable to access to citrix from outside of the company how to publish it in isa could u give me steps to solve the prblem

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.