skywalker101
asked on
Citrix Metaframe NAT
I am unable to connect to a Citrix Server when using NAT. On the Firewall I have configured a rule to permit any service, I have no problem connecting to the server using any other protocol for i.e. I can connect using RDP to the server on the Nat'd address so I know the transaltion is working OK and the firewall is accepting connections.
I recieve the message could not connect to the metaframe server on the specifed address
I recieve the message could not connect to the metaframe server on the specifed address
ASKER
Yea on Checkpoint rule I removed the Any service, and added ICA Browsing 1494 http and https, the connections seems to hitting the firewall using the http service. On the Checkpoint logs there is no traffic being dropped, I am not sure if Citrix uses some custom port and as you rightly pointed out with the 'Any' service.
The ICA file will this have to be modifed in any way ?
The ICA file will this have to be modifed in any way ?
Open the ICA file with a text editor (like notepad) and see what the IP Address says. If it says the internal address, try manually changing it to the external address and connecting.
My suspicion is that it's trying to connect to an internal IP, not an external, so the checkpoint isn't even seeing the ICA traffic. Am I correct? If so, does changing the IP on the ICA give you any traffic on 1494?
What version of Metaframe are you using?
My suspicion is that it's trying to connect to an internal IP, not an external, so the checkpoint isn't even seeing the ICA traffic. Am I correct? If so, does changing the IP on the ICA give you any traffic on 1494?
What version of Metaframe are you using?
ASKER
I have modified the settings on the Citrix client server list to use the external address i.e. Nat'd address
From the client I have opened up a DOS windows and I can telnet on port 1494 on the external address and I can see the traffic being logged on firewall as ICA 1494 and the connection successfully connects to the server
Should I be seeing traffic on port 1494 when connection via Citrix rather that http ? I am using Presenation Server 4.0
From the client I have opened up a DOS windows and I can telnet on port 1494 on the external address and I can see the traffic being logged on firewall as ICA 1494 and the connection successfully connects to the server
Should I be seeing traffic on port 1494 when connection via Citrix rather that http ? I am using Presenation Server 4.0
The type of traffic you see depends on your configuration. you can encapsulate ICA within HTTP/HTTPS, or you can use ICA with or w/o native encryption. Most likely, you'll see the ICA traffic on 1494, because thats the default, if I remember correctly.
You said you modified the settings on the citrix client server list, did you do this in your client software? (check alternate address for firewall?)
Are you using program neighborhood? Or the web client?
You said you modified the settings on the citrix client server list, did you do this in your client software? (check alternate address for firewall?)
Are you using program neighborhood? Or the web client?
ASKER
Yes I configured the server list within Program Neighborhood, I will need to double check but I believe I am using HTTP/HTTPS, No I have not selected Check alternatle address for firewall
Are all these option configable within Program Neighborhood, If so I can changes to see if it makes a difference ?
Are all these option configable within Program Neighborhood, If so I can changes to see if it makes a difference ?
I'm a bit rusty on some of this, but check out this link. The server needs to be configured with an alternate address, assuming that you're going through a NAT. Then, you check the alternate address button in program neighborhood.
http://support.citrix.com/article/CTX039746
http://support.citrix.com/article/CTX039746
ASKER
Hi,
The steps in doc worked I can now connect to the CTX Server, although one small problem it will only work if the CTX Server is the only server listed within Citrix Neighbour Hood. When I add the other server into the list it fails.
Any Ideas how to get around this issue ?
The steps in doc worked I can now connect to the CTX Server, although one small problem it will only work if the CTX Server is the only server listed within Citrix Neighbour Hood. When I add the other server into the list it fails.
Any Ideas how to get around this issue ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Back in the day, you had to configure Metaframe with the NAT IP address. (It dynamically creates .ICA files and inserts the IP Address in there).
Also, look in your Checkpoint log to see if there is anything being dropped. Keep in mind that "any" does not mean "any". It means all services that are defined as being 'any' services.