[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4758
  • Last Modified:

Access to Citrx published application by client source IP address

Is there a way to restrict a Citirx published application by the client's source IP address. In other words, I want to allow access to a published application only if client workstations reside in the 10.0.10.0/24 segment. All other clients with a different source IP address would be denied.

Any suggestions are appreciated.
0
mpopal
Asked:
mpopal
  • 18
  • 9
  • 4
  • +4
4 Solutions
 
Carl WebsterCommented:
Create a custom load evaluator for IP range and load balance the application with the custom evaluator.
0
 
Craig RoberdsCommented:
You didn't state which version you are on but if you go to the citrix policies and set them up you can apply them to IP addresses and servers (when you make a policy right click it and go to 'Apply Policy To..'.

It may take a little work to kind of do what you want, as you can't specifically do it by published app that I know of, but you can apply policies to servers and IP addresses, so you may be able to only allow certain users to certain apps by IP address.  Basically to get this to work you will probably have to have multiple servers and then only have the app(s) you want for certain IP addresses published on specific servers.

You could also do something similar with the load balancing, only allowing certain IP addresses to log into certain servers based on their IP address.

Unfortunately that is about the only way I can think of doing it by IP, most of citrix is designed so the apps show up by the user rather than originating PC or IP address.
0
 
Craig RoberdsCommented:
Carl is correct, you can do it by the app after you create the load evaluator.  After you create the load evaluator by the IP range you then go to the app in your mgmt console and Load Manage it.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
mpopalAuthor Commented:
Thanks for the comments. The farm is running several Xenapp 5 servers and two web interface 5.2 servers that load balanced by a pair of HA Netscalers.

I'm familiar with load balancing, but I've never seen an option where I can configure based on a client's source IP address. I'll have to take a closer look at that and see if it's possible. Thanks.
0
 
Carl WebsterCommented:
That is done using a custom load evaluator.  Load evaluators are what XenApp uses to help compute the load calculation for each server or application.  You would publish your application, create a customer load evaluator using Source IP and then assign your new custom load evaluator to your application.
0
 
mpopalAuthor Commented:
CarlWebster, thanks for the additional details. I will try the suggestions as soon as I'm onsite. I'm excited to   know that there may be an option. I've working with Citrix for over 10 years and I can't believe that I didn't look at the load evaluators enough to know that there may be an option. Knowing that there is a source IP option, that makes me feel better. Thanks and will post my findings as soon as I get onsite.
0
 
mpopalAuthor Commented:
I created a custom load evaluator and used the "IP Range" option. I specified the start and end IP addresses and I selected the "Allow Access" option . I then configured a published application to use this custom load evaulator. When I did that no can access the published application. Even the clients in the IP range that are allowed access. THe following error is received when you click on the published application with the custom load evaluator: An error occurred while making the requested connection.

If I remove the custom load evaluator from the published app then everyone can access the published app. As soon as I appy the cutom load evaluator, the same thing happens. Am I missing another step?

Attached is a screenshot of the load evaluator.
loadeval.bmp
0
 
Carl WebsterCommented:
That is a huge IP Range: 10.15.23.1 to 101.15.23.254.  Did you mean 10.15.23.1 to 10.15.23.254?
0
 
Carl WebsterCommented:
Take a look at http://support.citrix.com/article/CTX106069

Look at this note from http://support.citrix.com/article/CTX105449

IP Range

This rule allows the load evaluator to enable or disable access to a published application based upon whether or not the IP addresses of the ICA Clients are within the specified IP address ranges.

>>Use this rule in conjunction with another rule. This rule will not load balance connections by itself.<<
0
 
mpopalAuthor Commented:
The range was a typo and you're right the correct range is 10.15.23.1 to 10.15.23.254. I noticed the type right after I uploaded the screenshot.

I came across those two articles as well, but it didn't address my problem. All clients are on an internal network and their is no NAT or proxy involved. I rebooted both web interface servers for grins and giggles, but to no avail. I also added an additional rule since documentation indicated that the IP range rule cannot be used alone. I added the server load rule and IP range rule to the custom load evaluator but still no luck.

I'll continue researching, but I may be forced to call Citrix on this.

Thanks for the suggestions.
0
 
GDITFERCCommented:
When you users log on, can you read their client ip address via the AMC?  If not, chances are Citrix can read it either, and therefore.  Have you tried configuring a SmartAccess Policy inside your NetScaler?  This maybe going a little too indepth, but if your Load Balancer won't work... You can use smart access to do the same type of thing.
0
 
mpopalAuthor Commented:
Yes I can read the client IP address via AMC. I'm not an expert on the netscaler - I've only configured the load balance and global load balance options for the web interface.

I don't think configuring anything on the netscaler will deny or allow access to published apps, because the clients communicate directly to the xenapp servers. Of course they access the published apps on the web interface server, but then the client establishes a connection directly to the xenapp servers hosting the published app.
0
 
mpopalAuthor Commented:
It looks like the IP Range option in the load evaluator should definitely work, but I have no clue why it's denying all clients. I was going to call Citrix, but I found out that the client I'm working with does not have Citrix support. I'll try to post something on the Citrix forum and if I get an answer I'll post it here.
0
 
GDITFERCCommented:
How long did you wait after you applied the custom load evaluator?  Did you have your users log off and then back into the Web Interface?  If you apply it to a specific server instead of a published application does it work?
0
 
mpopalAuthor Commented:
It's been well over a week and it still does not work and yes users have logged off and tried again. I actually haven't added a custom load evaluator to a specific server - even if it worked I'd hate to have to dedicate a server just for one app.

I've posted the same question on the CItrix.com support forums and I've actually have gotten more help and ideas on EE than I have with Citrix. But unfortunately no fix yet.
0
 
Carl WebsterCommented:
This is one of the frustrating things about computers.   Things that should work, don't, and there is no explanation why.
0
 
GDITFERCCommented:
If you publish notepad... make the custom load evaluator with just the IP Range and Server Load.. Apply it to notepad and then wait 5 minutes and view the load on that application.. what do you see?
0
 
mpopalAuthor Commented:
Running qfarm /app show that notepad has a load of 9999 and the server load is 100. Even though I'm on the ip range that is allowed it is still denying me. There is no NAT - this is all internal - and Access Gateway is not used, so it's not like I'm showing up as a different IP.
0
 
Carl WebsterCommented:
http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm

GETTSCIP
QRYCLIENTIP
QRYTSCIP

These should allow you to find out what IP address the server sees.
0
 
mpopalAuthor Commented:
Nice tools. Didn't know about them.

But when accessing a published application from a subject workstation, the AMC shows the correct IP address of the client, and the client IP address range is in the IP Range of the load evaluator rule. But for whatever reason when connecting from a client within that IP range the connection is refused. The eventlog shows that it was due to high load.

Luckily this isn't a pressing issue at the moment, but I need to get this working when this app goes live in a month. When it goes live I need to make sure that only clients within a certain IP range can access this published app.
0
 
GDITFERCCommented:
Just a quick question... If you reverse the rule, and instead of saying Allow those ranges, say Deny that same range... does the same thing happen?
0
 
mpopalAuthor Commented:
Yes I've tried that as well and the same exact thing happens. It seems that as long as the IP Range policy is used everyone is denied - it doesn't matter if it's set to allow or deny.
0
 
Carl WebsterCommented:
I just tested this and am founding something weird.  I am using CSG 3.1.3 and WI 5.2 and XA5 FP2 for 2003 x86.
I created a Load Evaluator for users=100 and client IP range of 216.135.x.0 thru 216.135.x.255.
When I connect to a published app, CSG is reporting the correct external IP address but the Delivery Services Console is showing the client having an internal IP address.  I only have the one client connected and it is an external client.  Where the internal IP address that the DSC is reporting is coming from I have no idea.

Because DSC is reporting the client having an internal IP address, the load evaluator fails.

Is this the same behaviour you are seeing?  If you add the client address column to the Sessions display for the server in DSC, is the client reporting the correct IP?
0
 
Carl WebsterCommented:
This has to be the most confusing Load Evaluator option.

I set it so that only Client IP range 192.168.1.1 to 192.168.1.254 could access Notepad.  I connected a client with a 10.x.x.x IP address and it was allowed to run Notepad.

If I change the rule to be any IP address not on the LAN, no one is allowed to run the app.  I even went in and entered the IP range to be the specific 10.x.x.x IP address of my VPN client and it could not run the app even tho DSC showed the client had the exact IP address specified in the evaluator rule allowed to run the app.

Just plain weird.
0
 
mpopalAuthor Commented:
I agree that this IP Range policy isn't working like it's supposed to. I'm not using CSG or Access Gateway - only web interface - and client IP addresses do show up correctly.
0
 
AcceleraSolutionsCommented:
I found this recently.. Does this apply: http://support.citrix.com/article/CTX115686
0
 
mpopalAuthor Commented:
Accelera, thanks for the link. It looks very interesting. I won't be onsite until next Tuesday, so I'll have to take a look at it then and will post my findings. Thanks.
0
 
AcceleraSolutionsCommented:
Great, keep me posted.
0
 
AcceleraSolutionsCommented:
mpopal any luck with this yet?
0
 
mpopalAuthor Commented:
Accelera, sorry...forgot to reply with my findings. Unfortunately none of the keys mentioned had the disable entry and permissioning was already set as described in the article. I've been tied up with other tasks and the load evaluator is nothing pressing at the moment. Once I'm ready to publish the app that will require the IP range I'm going to get the customer to purchase a tech support case with Citrix and will post results. At this point it's probabaly a couple of months out.
0
 
mpopalAuthor Commented:
The question has not been resolved. I was planning on contacting CItrix support and then posting the findings of the support call. I have not gotten the chance yet to call Citrix support. Hopefully within a month I will.
0
 
BLipmanCommented:
I think the Citrix Access Gateway appliance can enforce things like access by client IP but it is not a cheap solution...especially when the load balancing rule should perform the same functionality.  
0
 
BLipmanCommented:
I just tested this and it worked fine for me.  I created a new Load Evaluator, defined my local subnet as allowed, applied it to a test published app, launched the app from my PC (success), launched from a server in my data center (different subnet) and it failed.  I changed the evaluator to include the other subnet and it was permitted.  
0
 
mpopalAuthor Commented:
BLipman, users are not going through a CAG, they are connecting to the Web Interface server. So unfortunately I don't have the option to use the CAG. Thanks.

0
 
BLipmanCommented:
I don't have a CAG, I tested it on my LAN using the Web Interface.  Worked just fine.
0
 
mpopalAuthor Commented:
As mentioned earlier in the thread, when I create the load evaluator on the web interface it blocks everyone, including the list of IP addresses in the allow list.

I understand this should work like they way yours is, but I have no clue why my configuration isn't working.  

I called Citrix support, and the support personnel I worked with wasn't even familiar with IP Range load evaluator. After researching the IP Range option, the citrix support rep didn't understand either why it's not working and suggested that there must be something network related that was causing the problem.

As of now, it's still not working and I can't allow a range of IP addresses and block the others.
0
 
BLipmanCommented:
Right, I just wanted to clarify that I got it working w/o a CAG so you know it is a valid configuration.  I am running XA 5 (mixed farm with some 4.5 members), WI, and CSG.  Perhaps the Secure Gateway is somehow making it work but I don't think that is it.  

Just to make sure we are testing this in as simple a manner as possible, would you try the following:
make a test LB Evaluator, put the IP filter in as you did but narrow the range down to fit just a couple of PCs from your LAN, set it "allowed", test it from a PC in that narrow range.  Then, try from a PC outside of the range.  I want to take all routing out of the scenario so if you can do this to machines on the same subnet it would be the most simple test.  When you have routing and possibly NAT in the mix it adds to the complexity.  

It is unfortunate you aren't getting anywhere with CTX support, might point to an issue with your farm.  Can you build a test farm (just point it to your existing license server)?  You can put the WI, XenApp, and everything on a single box and test the config just to make sure you are doing it right.  
0
 
mpopalAuthor Commented:
Yeah I'm not sure if CSG is making it work on your end or not..of course I'm not running CSG. I've already tried limiting the number of IP addresses in the filter list to see it will help, but no luck. I've even tried only one IP address and no luck.

Access to the CTX environment is all internal and there are no NATs taking place. Routing is in place, but when I look at the web interface/IIS logs I see the IP address of a client who is allowed, but still is being blocked even though the IP address in the log file is allowed.

I haven't been impressed with Citrix support - the first think they always look at is to see if they can point the blame on something outside of Citrix. Once you convince them that nothing outside of Citrix is the problem, then they suggest a reinstall. I can't go through the pain of a reinstall since the requirement to prohibit certain IP addresses isn't do or die scenario.

As mentioned the problem isn't resolved, but I just may award the points to close the thread.
0
 
mpopalAuthor Commented:
My problem is still not resolved - not sure why the load evaluator for IP range is not working for me. As mentioned, Citrix support claims issues outside of Citrix. I showed Citrix support that nothing outside of Citrix is the issue, and they suggested a reinstall.

I am not going to go through a reinstall.

Thanks to Carlwebster for letting me know about the IP range option in the load evaluator. Even though it didn't work, I wasn't aware of that option.

Thanks to BLipman for testing the suggestion. Unfortunately it doesn't work on mine.

Thanks to others as well for their suggestions and help.

Anyway, just wanted to close this thread since I keep getting emails from EE...
0
 
Harinderpal SinghCommented:
I have two servers A and B, with same IP range. Applications are launching fine from one server but givit this error from another. Can anyone help me here where the issue is

.Expert.JPG
0
 
Carl WebsterCommented:
You need to start your own question.
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 18
  • 9
  • 4
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now