Second Citrix Connection

Ok I have been asked to come up with this solution. I am a novice in Citrix, let me start off with that.

Right now we are using presentation server 4.0 I believe.

Eveything is up and working fine. Our users connect via a secure web page from home. (https)

Our main way to connect is through our main ISP. Our back up or roll over connection is Comcast.

What i need is to provide the Citrix server with an alternate address so when our main ISP is down and we fail over to our Comcast users can still get to the server.

is this a simple setting within Presentation server? Our contractor that does most of out Cisco work says that all his stuff is set and this is an internal configuration we need to make.

Thanks
LVL 3
zemp1212Asked:
Who is Participating?
 
Carl WebsterCommented:
When you need to failover to your Comcast connection, you will need to delete that entry and add one for the Comcast IP address.  I would go ahead and create a batch file you can run when that time comes.
0
 
Carl WebsterCommented:
If your backup Comcast connection has a static IP, simple add an additional external DNS name.

i.e. Your main site connects as https://citrix.yourdomain.com

The backup connection will be https://citrix2.yourdomain.com

Use a wildcard SSL cert so your web interface or, preferably, your Citrix Secure Gateway will not care whether they connect via citrix or citrix2 (or whatever you use).
0
 
zemp1212Author Commented:
Do I add this connection in Citrix and then update/change my cert?
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Carl WebsterCommented:
Are you using the free Citrix Secure Gateway or just Web Interface?  Is there anything sitting in front of your Web Interface?
0
 
zemp1212Author Commented:
Web interface. I have fiber coming into an ASA box and the comcast is also coming in from the ASA box.
I just need when a user logs in from out side when the fiber is down, for the connection to still work over comcast.
in my mind this should just work now. But the way I was sent to do this, seems like there is something that needs to be added some where.
Either in the Citrix serve SSL relay, or a DNS A record, or something. My head is just totally missing something here.
0
 
Carl WebsterCommented:
Explain your setup a little more.  How many PS4 servers do you have?  Are you using ALTADDR translation?
0
 
zemp1212Author Commented:
ok i just went and got a little more information.
 
It looks like we do have a backup record      Backup.Mydomain.com
 
and that record is being routed properly to inside (to our Citrix server) per the Cisco guy.
 
our issue is a setting on the presentation server that needs to be set to accept this connections from this address. Is this simply adding that address to the SSL relay in citrix?
1 PS4 server
This is the information form him, so it still could be a cert issue as well. I need to grab my netbook at lunch to test. I cant get to the backup from inside the domain.
0
 
Carl WebsterCommented:
Go to your PS4 server, go to a cmd prompt and type in altaddr and let me know what it returns.
0
 
zemp1212Author Commented:
Local Address                             Alternat Address
----------------------------------------------------------------
Default                                            6*.***.***.***
0
 
zemp1212Author Commented:
Can you give me a little more information?
 
I think i understand that you are telling me to create a batch that will redirect the default Ip to what we have set up for comcast.
what is wanted is that a user uses
inside.mydomain.com
if down they can use
backinside.mydomain.com
are you saying not to have that and just run the bat when a problem occurs redirecting where Citrix is listening?
0
 
Carl WebsterCommented:
The ALTADDR command tells the Citrix server what Public IP to return to the Web Interface to include in the ICA file that is created for the user.

If the Public IP is 1.2.3.4 and Comcast is 10.20.30.40 and altaddr is set for 1.2.3.4 and you failover to the Comcast connection, the ICA file will still have 1.2.3.4 in it.  So the client will attempt to connect to the 1.2.3.4 IP address which of course is down so the user will fail to connect and will call you for help.

When you switch over to the Comcast connection, you will need to change the ALTADDR on the PS4 server so the ICA file will attempt to connect to 10.20.30.40.  Of course, with a standard SSL cert your users will get an SSL certificate error saying the cert doesn't match the FQDN the user is using to connect.  Your SSL cert is set for inside.mydomain.com but they are connecting with backupinside.mydomain.com.  That is why I suggested the wildcard SSL cert.  That would be set for *.mydomain.com and the user will not get an SSL cert error.
0
 
zemp1212Author Commented:
ok I think i follow you.
so at this point, if we do not change the cert.
I need to change (using altaddr can I add another IP?) the AltAddr during failure.
I do not need to add  backinside.mydomain.com to the SSL relay within Citrix?
0
 
Carl WebsterCommented:
I have never used the SSL Relay, so I can't answer that question.

Check this thread http://forums.citrix.com/thread.jspa?messageID=646761

0
 
zemp1212Author Commented:
Ok reading on the citrix site I think i am totally off by even looking at SSL relay. That looks like its just a relay to another internal server. Nothing really to do with what external IP is sending traffic in.
 
I need to find a time when we dont have users connected to try the altaddr switch. i will let you know. Thanks
0
 
Carl WebsterCommented:
You are welcome.

I thought the SSL Relay was used for something like this:

Internet -> Firewall -> DMZ -> Citrix Secure Gateway -> Firewall -> SSL Relay -> Web Interface -> LAN
0
 
zemp1212Author Commented:
before I can test (reboot needed) i have a couple of questions (mainly I know the boss will ask...
 
if we have a second NIC could we have a seperate Alt Address?
is there a way to configure a second IP in the WIADMIN NAT settings?
Also as a side note, the set up here (I havent been at the new company very long) seems to be missing pieces, or my inexepriance with Citrix is not allowing me to get to them.
I keep seeing people say check the settings in http://SERVERNAME/Citrix/MetaFrame/WIAdmin
That does not bring up a page for me, I also do not see a htm or asp page named anything like that in IIS. am i missing something?
 
0
 
Carl WebsterCommented:
Second NIC - no.  That was covered in the Citrix forum link I sent earlier.

WIAdmin is old stuff I believe and no longer exists.  Just right-click your site and you can do all your maintenance from there.

I have never dealt with multiple IP addresses on a web interface or XenApp server.  Citrix has very specific settings for what will work in the Advanced Concepts Guide.
0
 
zemp1212Author Commented:
ok. I did read that thread i guess I misunderstood one of the responders suggesting using 2 NICS.
 
Thanks again Carl. i will let you know when I get a window to test.
 
0
 
zemp1212Author Commented:
with out other gear or products in place the Altaddr will be my resolution to turn in. up to them if they want to buy stuff.
 
Tested and works. Thanks alot Carl, perfect.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.