I have a small citrix farm in my org. The farm has been placed into our DMZ. Right or wrong, this decision was made by our regional firewall admin and is not up for discussion.
Holes have been poked in the firewall to allow specific communications to servers on the corp LAN for f&p, dns and most AD communications. Everything appears to be working fine till you logon as a user and the GPO applied does not apply.
In my troubleshooting, running rsop.msc from the Windows server in the dmz fails and cannot read the GPO from the DC.
Running the group policy results wizard through my dsa.mmc fails and returns the message "rpc server is unavailable".
These two things tell me that the firewall is not allowing some kind of communication to pass.
My firewall admin says all ports are opened.
In further troubleshooting, I noticed that sometimes when I run rsop.msc from the server in the dmz, it does not use our local dc but tries to read from a dc on a whole different subnet in our wan network. The firewall appears to be dropping this communication and only allowing the local DC to communicate with the dmz.