Citrix Metaframe NAT

I haven't used Metaframe in a few versions, so I can't be sure of where to point you, but i'll give it my best.

Back in the day, you had to configure Metaframe with the NAT IP address.  (It dynamically creates .ICA files and inserts the IP Address in there).

Also, look in your Checkpoint log to see if there is anything being dropped.  Keep in mind that "any" does not mean "any".  It means all services that are defined as being 'any' services.

Yea on Checkpoint rule I removed the Any service, and added ICA Browsing 1494 http and https, the connections seems to hitting the firewall using the http service. On the Checkpoint logs there is no traffic being dropped, I am not sure if Citrix uses some custom port and as you rightly pointed out with the 'Any' service.

The ICA file will this have to be modifed in any way ?

Open the ICA file with a text editor (like notepad) and see what the IP Address says.  If it says the internal address, try manually changing it to the external address and connecting.

My suspicion is that it's trying to connect to an internal IP, not an external, so the checkpoint isn't even seeing the ICA traffic.  Am I correct?  If so, does changing the IP on the ICA give you any traffic on 1494?

What version of Metaframe are you using?

I have modified the settings on the Citrix client server list to use the external address i.e. Nat'd address

From the client I have opened up a DOS windows and I can telnet on port 1494 on the external address and I can see the traffic being logged on firewall as ICA 1494 and the connection successfully connects to the server

Should I be seeing traffic on port 1494 when connection via Citrix rather that http ?  I am using Presenation Server 4.0

The type of traffic you see depends on your configuration.  you can encapsulate ICA within HTTP/HTTPS, or you can use ICA with or w/o native encryption.  Most likely, you'll see the ICA traffic on 1494, because thats the default, if I remember correctly.  

You said you modified the settings on the citrix client server list, did you do this in your client software? (check alternate address for firewall?)  

Are you using program neighborhood?  Or the web client?  

Yes I configured the server list within Program Neighborhood, I will need to double check but I believe I am using HTTP/HTTPS, No I have not selected Check alternatle address for firewall

Are all these option configable within Program Neighborhood, If so I can changes to see if it makes a difference ?

I'm a bit rusty on some of this, but check out this link.  The server needs to be configured with an alternate address, assuming that you're going through a NAT.  Then, you check the alternate address button in program neighborhood.  

http://support.citrix.com/article/CTX039746

Hi,

The steps in doc worked I can now connect to the CTX Server, although one small problem it will only work if the CTX Server is the only server listed within Citrix Neighbour Hood. When I add the other server into the list it fails.

Any Ideas how to get around this issue ?