How is a citrix alternate address (altaddr) used?

avidmedical
avidmedical used Ask the Experts™
on
How is this alt address used by the presentation server or by the client attempting to connect? Is it sometimes assigned to the web interface server versus the presentation server? Senarios? The admin guides says it is "the alternate address returned to clients that request it and is used to access a server that is behind a firewall". What does "returned to clients" mean, and why would you use an alt addr and where? Can't the firewall just do port or address translation and translate to the web i/f server directly to its non-alt address? Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Carl WebsterCitrix Technology Professional - Fellow
Top Expert 2010
Commented:
The AltAddr should be your last resort.  Use Citrix Secure Gateway (CSG) and Web Interface (WI) instead.

Without CSG the XenApp server will return its local IP address to the client.  The client will then try to connect to the local IP address.  Of course if the client is coming from the Internet it will not be able to connect to your local network.

Local IP address = 192.168.1.1
Public IP address = 1.2.3.4

The launch.ica file will be built with a server address 192.168.1.1 which the client will not be able to connect to.

Use AltAddr to say instead of returning 192.168.1.1 use the alternate address of 1.2.3.4".  Now when the client attempts to launch a publiched application, the launch.ica file will have the server's address as 1.2.3.4.  1.2.3.4 should resolve to a port on your router/firewall.  Your router/firewall should have a rule that says that all traffic coming in to 1.2.3.4 on TCP port 1494 (or 2598 if using session reliability) should be forwarded to 192.168.1.1.

Best Practice is to use either CSG or a Citrix Access Gateway (CAG) device and use TCP port 443 to secure access to the web site.  That way you only need to open up port 443 and there is no altaddr set on any XenApp server.  Your router/firewall will now direct all TCP port 443 traffic coming in from 1.2.3.4 and direct it the the internal IP address of the CSG server or CAG device.  The CSG/CAG will then direct traffic to the WI, the WI talks to the XML broker and Zone Data Collector to authenticate users and direct them to the appropriate server to run the publiched application.

Bottom Line: Do NOT use AltAddr if at all possible.  It does not scale past a few servers.

Author

Commented:
Thank you. Very clear answer. So what do you do that causes the launch.ica file to be built? What did you configure, or what process did you do, that causes "the XenApp server to return its ip address to the client"? I figure you configured the client to point to either a URL or IP address in the first place. So why does XenApp have to return its IP address to the client?

Here's the bottom line of what i'm trying to understand: say you have a translating firewall at the edge, you have CSG and WI (or maybe just WI) in the DMZ, and XenApp servers on the production side of the internal firewall--which firewall is probably also translating. How do you then configure the the WI / web site / Configure Secure Client Access area, in terms of Edit DMZ settings, Edit Translation mapping, and/or Edit Secure Gateway? I'm trying to understand what you are adding, in general, for what situation (not asking you to give me all possible scenarios). When in DMZ Settings, you click "add", and you have a dialog box that says "Client IP address, Mask, and Access Method...Direct, Alternate, Translated, SG Direct, SG Alternat, or SC Translated". What Client IP Address? and in Edit Address Translations, you click "add", and you have "Client route translated, Gateway route translated, or Client and Gateway route translated", and then internal ip/port and external/ip port.  Why would WI care about the translation occuring at the edge or internal firewall? If you would be so kind, could you pick a senario with an Internet client, Edge firewall, DMZ with CSG / WI, internal firewall, production citrix servers, and tell me what i'd configure where? Just a simple example? :-) Thank you very much for helping me.

Carl WebsterCitrix Technology Professional - Fellow
Top Expert 2010
Commented:
What causes launch.ica to be built?  click on a published app icon on the web interface

What did you configure, or what process did you do, that causes "the XenApp server to return its ip address to the client"?  altaddr /set 192.168.1.1 1.2.3.4

Preferable to use a URL.  IP addresses change.

So why does XenApp have to return its IP address to the client?  So the farm knows from which server the zone data collector says is the correct oen to run the application on.

Check out this 3 part series I wrote:

http://www.dabcc.com/article.aspx?id=10101
http://www.dabcc.com/article.aspx?id=10172
http://www.dabcc.com/article.aspx?id=10264
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I just answered ONE of my own questions by reading the "Establishing a secure connection to a server farm" on p.25 of the Secure Gateway for Windows Admin Guide.....the question about returning the ip address to the client. I'm now reading the "Managing Secure Client Access" part of the Web Interface Admin guide (so many guides!) which talks about editing the various settings for DMZ, Translations, etc. HOWEVER, an example would still be extremely helpful. They don't include one, or tell you how it all fits together. Thank you.

Author

Commented:
Sorry...i was typing my message while you were typing yours.
THANKS!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial