jballiet4
asked on
Allow Citrix Xenapp 6 access outside of firewall
I have installed Citrix Xenapp 6 on a standalone server behind my watchguard firewall. The firewall is NATing the internal IP. I also installed a server certificate on the XenApp server. I configured web interface and PNAgent access on 443. Everything works fine internally. I am using direct secure access for web and pnagent.
The problem is with access from outside the firewall. I have created an ACL that allows all specified ports... 443,1494,2598,2512,2513,80
Any help would be greatly appreciated.
The problem is with access from outside the firewall. I have created an ACL that allows all specified ports... 443,1494,2598,2512,2513,80
Any help would be greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
forget about what I just said. The internal agent works.
ASKER
Speed of applications are surprisingly slow. Will need to look into this.
what do you mean by slow?
what is the app, in what way is it slow?
what is the app, in what way is it slow?
ASKER
when an application is called through PNAgent, it takes around 20-40 seconds to load completely. This is the same with the web interface. Its almost like something is having to timeout.
this is probably because of the agent trying to use "session reliability" and you are not accepting this
this is port 2598
this is port 2598
ASKER
just checked and the policy is not set. Could there be any other setting?
what do you mean the policy is not set?
on the .ica file or the receiving server?
on the .ica file or the receiving server?
ASKER
my understanding is that session reliability is established through the policy editor for computers....
Capture.JPG
Capture.JPG
ASKER
yes this is true, but you should enable this.
and i suspect the ica client will always try to use SR this is why the negotiating takes so long?
and i suspect the ica client will always try to use SR this is why the negotiating takes so long?
ASKER
Just did this...
1. Locate the default.ica file on the Web server hosting Web Interface 4.5 or 4.6. Default path - \inetpub\wwwroot\Citrix\Ac
2. By default, the CGPAddress= line should not be in this file – add the line in the [Application] section if it does not exist. This disables Session Reliablity.
1. Locate the default.ica file on the Web server hosting Web Interface 4.5 or 4.6. Default path - \inetpub\wwwroot\Citrix\Ac
2. By default, the CGPAddress= line should not be in this file – add the line in the [Application] section if it does not exist. This disables Session Reliablity.
ASKER
I regressed and pulled CGPAddress= from the file
ok and all is well now?
ASKER
yes
ASKER
Thanks for your help
no problem ;-)
ASKER
Do you happen to know how to forward all port 80 requests to 443 presumably in IIS?
rofl :) you have a lot of questions :)
depending on what you want this for...
http://www.iis-aid.com/articles/how_to_guides/redirect_http_to_https_iis_7
but as i said, you can't just do this for everything you want
depending on what you want this for...
http://www.iis-aid.com/articles/how_to_guides/redirect_http_to_https_iis_7
but as i said, you can't just do this for everything you want
ASKER
I have no shame in asking questions. Thats why I pay for this service.
ASKER
Outside Web: Works
Outside Agent: Works
Inside Web: Works
Inside Agent: DOES NOT WORK
Here is the configuration for the agent. Do you have any ideas on how to troubleshoot the inside agent issue?
Capture.JPG