Citrix Metaframe NAT

I am unable to connect to a Citrix Server when using NAT.  On the Firewall I have configured a rule to permit any service, I have no problem connecting to the server using any other protocol for i.e. I can connect using RDP to the server on the Nat'd address so I know the transaltion is working OK and the firewall is accepting connections.

I recieve the message could not connect to the metaframe server on the specifed address
skywalker101Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mabutterfieldCommented:
I haven't used Metaframe in a few versions, so I can't be sure of where to point you, but i'll give it my best.

Back in the day, you had to configure Metaframe with the NAT IP address.  (It dynamically creates .ICA files and inserts the IP Address in there).

Also, look in your Checkpoint log to see if there is anything being dropped.  Keep in mind that "any" does not mean "any".  It means all services that are defined as being 'any' services.
0
skywalker101Author Commented:
Yea on Checkpoint rule I removed the Any service, and added ICA Browsing 1494 http and https, the connections seems to hitting the firewall using the http service. On the Checkpoint logs there is no traffic being dropped, I am not sure if Citrix uses some custom port and as you rightly pointed out with the 'Any' service.

The ICA file will this have to be modifed in any way ?
0
mabutterfieldCommented:
Open the ICA file with a text editor (like notepad) and see what the IP Address says.  If it says the internal address, try manually changing it to the external address and connecting.

My suspicion is that it's trying to connect to an internal IP, not an external, so the checkpoint isn't even seeing the ICA traffic.  Am I correct?  If so, does changing the IP on the ICA give you any traffic on 1494?

What version of Metaframe are you using?

0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

skywalker101Author Commented:
I have modified the settings on the Citrix client server list to use the external address i.e. Nat'd address

From the client I have opened up a DOS windows and I can telnet on port 1494 on the external address and I can see the traffic being logged on firewall as ICA 1494 and the connection successfully connects to the server

Should I be seeing traffic on port 1494 when connection via Citrix rather that http ?  I am using Presenation Server 4.0
0
mabutterfieldCommented:
The type of traffic you see depends on your configuration.  you can encapsulate ICA within HTTP/HTTPS, or you can use ICA with or w/o native encryption.  Most likely, you'll see the ICA traffic on 1494, because thats the default, if I remember correctly.  

You said you modified the settings on the citrix client server list, did you do this in your client software? (check alternate address for firewall?)  

Are you using program neighborhood?  Or the web client?  


0
skywalker101Author Commented:
Yes I configured the server list within Program Neighborhood, I will need to double check but I believe I am using HTTP/HTTPS, No I have not selected Check alternatle address for firewall

Are all these option configable within Program Neighborhood, If so I can changes to see if it makes a difference ?
0
mabutterfieldCommented:
I'm a bit rusty on some of this, but check out this link.  The server needs to be configured with an alternate address, assuming that you're going through a NAT.  Then, you check the alternate address button in program neighborhood.  

http://support.citrix.com/article/CTX039746

0
skywalker101Author Commented:
Hi,

The steps in doc worked I can now connect to the CTX Server, although one small problem it will only work if the CTX Server is the only server listed within Citrix Neighbour Hood. When I add the other server into the list it fails.

Any Ideas how to get around this issue ?
0
mabutterfieldCommented:
Sorry for the late response, I didn't see that you posted.

Do you have both servers setup with different alternate addresses?  Do you have both of those addresses NATTEd in the Firewall?  Are both addresses setup in your Program Neighborhood client?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.