Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Second Citrix Connection

Posted on 2009-04-20
19
Medium Priority
?
435 Views
Last Modified: 2012-05-06
Ok I have been asked to come up with this solution. I am a novice in Citrix, let me start off with that.

Right now we are using presentation server 4.0 I believe.

Eveything is up and working fine. Our users connect via a secure web page from home. (https)

Our main way to connect is through our main ISP. Our back up or roll over connection is Comcast.

What i need is to provide the Citrix server with an alternate address so when our main ISP is down and we fail over to our Comcast users can still get to the server.

is this a simple setting within Presentation server? Our contractor that does most of out Cisco work says that all his stuff is set and this is an internal configuration we need to make.

Thanks
0
Comment
Question by:zemp1212
  • 10
  • 9
19 Comments
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24183929
If your backup Comcast connection has a static IP, simple add an additional external DNS name.

i.e. Your main site connects as https://citrix.yourdomain.com

The backup connection will be https://citrix2.yourdomain.com

Use a wildcard SSL cert so your web interface or, preferably, your Citrix Secure Gateway will not care whether they connect via citrix or citrix2 (or whatever you use).
0
 
LVL 3

Author Comment

by:zemp1212
ID: 24184129
Do I add this connection in Citrix and then update/change my cert?
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24184156
Are you using the free Citrix Secure Gateway or just Web Interface?  Is there anything sitting in front of your Web Interface?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 3

Author Comment

by:zemp1212
ID: 24184188
Web interface. I have fiber coming into an ASA box and the comcast is also coming in from the ASA box.
I just need when a user logs in from out side when the fiber is down, for the connection to still work over comcast.
in my mind this should just work now. But the way I was sent to do this, seems like there is something that needs to be added some where.
Either in the Citrix serve SSL relay, or a DNS A record, or something. My head is just totally missing something here.
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24184268
Explain your setup a little more.  How many PS4 servers do you have?  Are you using ALTADDR translation?
0
 
LVL 3

Author Comment

by:zemp1212
ID: 24184465
ok i just went and got a little more information.
 
It looks like we do have a backup record      Backup.Mydomain.com
 
and that record is being routed properly to inside (to our Citrix server) per the Cisco guy.
 
our issue is a setting on the presentation server that needs to be set to accept this connections from this address. Is this simply adding that address to the SSL relay in citrix?
1 PS4 server
This is the information form him, so it still could be a cert issue as well. I need to grab my netbook at lunch to test. I cant get to the backup from inside the domain.
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24184528
Go to your PS4 server, go to a cmd prompt and type in altaddr and let me know what it returns.
0
 
LVL 3

Author Comment

by:zemp1212
ID: 24184580
Local Address                             Alternat Address
----------------------------------------------------------------
Default                                            6*.***.***.***
0
 
LVL 37

Accepted Solution

by:
Carl Webster earned 1000 total points
ID: 24184629
When you need to failover to your Comcast connection, you will need to delete that entry and add one for the Comcast IP address.  I would go ahead and create a batch file you can run when that time comes.
0
 
LVL 3

Author Comment

by:zemp1212
ID: 24184659
Can you give me a little more information?
 
I think i understand that you are telling me to create a batch that will redirect the default Ip to what we have set up for comcast.
what is wanted is that a user uses
inside.mydomain.com
if down they can use
backinside.mydomain.com
are you saying not to have that and just run the bat when a problem occurs redirecting where Citrix is listening?
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24184715
The ALTADDR command tells the Citrix server what Public IP to return to the Web Interface to include in the ICA file that is created for the user.

If the Public IP is 1.2.3.4 and Comcast is 10.20.30.40 and altaddr is set for 1.2.3.4 and you failover to the Comcast connection, the ICA file will still have 1.2.3.4 in it.  So the client will attempt to connect to the 1.2.3.4 IP address which of course is down so the user will fail to connect and will call you for help.

When you switch over to the Comcast connection, you will need to change the ALTADDR on the PS4 server so the ICA file will attempt to connect to 10.20.30.40.  Of course, with a standard SSL cert your users will get an SSL certificate error saying the cert doesn't match the FQDN the user is using to connect.  Your SSL cert is set for inside.mydomain.com but they are connecting with backupinside.mydomain.com.  That is why I suggested the wildcard SSL cert.  That would be set for *.mydomain.com and the user will not get an SSL cert error.
0
 
LVL 3

Author Comment

by:zemp1212
ID: 24184758
ok I think i follow you.
so at this point, if we do not change the cert.
I need to change (using altaddr can I add another IP?) the AltAddr during failure.
I do not need to add  backinside.mydomain.com to the SSL relay within Citrix?
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24184827
I have never used the SSL Relay, so I can't answer that question.

Check this thread http://forums.citrix.com/thread.jspa?messageID=646761

0
 
LVL 3

Author Comment

by:zemp1212
ID: 24185074
Ok reading on the citrix site I think i am totally off by even looking at SSL relay. That looks like its just a relay to another internal server. Nothing really to do with what external IP is sending traffic in.
 
I need to find a time when we dont have users connected to try the altaddr switch. i will let you know. Thanks
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24185127
You are welcome.

I thought the SSL Relay was used for something like this:

Internet -> Firewall -> DMZ -> Citrix Secure Gateway -> Firewall -> SSL Relay -> Web Interface -> LAN
0
 
LVL 3

Author Comment

by:zemp1212
ID: 24185614
before I can test (reboot needed) i have a couple of questions (mainly I know the boss will ask...
 
if we have a second NIC could we have a seperate Alt Address?
is there a way to configure a second IP in the WIADMIN NAT settings?
Also as a side note, the set up here (I havent been at the new company very long) seems to be missing pieces, or my inexepriance with Citrix is not allowing me to get to them.
I keep seeing people say check the settings in http://SERVERNAME/Citrix/MetaFrame/WIAdmin
That does not bring up a page for me, I also do not see a htm or asp page named anything like that in IIS. am i missing something?
 
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24185689
Second NIC - no.  That was covered in the Citrix forum link I sent earlier.

WIAdmin is old stuff I believe and no longer exists.  Just right-click your site and you can do all your maintenance from there.

I have never dealt with multiple IP addresses on a web interface or XenApp server.  Citrix has very specific settings for what will work in the Advanced Concepts Guide.
0
 
LVL 3

Author Comment

by:zemp1212
ID: 24187167
ok. I did read that thread i guess I misunderstood one of the responders suggesting using 2 NICS.
 
Thanks again Carl. i will let you know when I get a window to test.
 
0
 
LVL 3

Author Comment

by:zemp1212
ID: 24208059
with out other gear or products in place the Altaddr will be my resolution to turn in. up to them if they want to buy stuff.
 
Tested and works. Thanks alot Carl, perfect.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question