asked on 5/16/2011

Allow Citrix Xenapp 6 access outside of firewall

I have installed Citrix Xenapp 6 on a standalone server behind my watchguard firewall. The firewall is NATing the internal IP. I also installed a server certificate on the XenApp server. I configured web interface and PNAgent access on 443. Everything works fine internally. I am using direct secure access for web and pnagent.

The problem is with access from outside the firewall. I have created an ACL that allows all specified ports... 443,1494,2598,2512,2513,8080. on the firewall with no success. The only exception is that I can authenticate on the website and pnagent client. When I run an application, the application trys to start but then fails. I believe this has something to do with the application trying to use some random high port which the firewall does not know about.

Any help would be greatly appreciated.

Software Firewalls Virtualization Citrix

Last Comment

jballiet4

5/17/2011

ASKER CERTIFIED SOLUTION

setasoujiro

5/17/2011

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

jballiet4

5/17/2011

ASKER

Ok. So that solution appears to almost work. Here are the results...

Outside Web: Works
Outside Agent: Works
Inside Web: Works
Inside Agent: DOES NOT WORK

Here is the configuration for the agent. Do you have any ideas on how to troubleshoot the inside agent issue?

Capture.JPG

jballiet4

5/17/2011

ASKER

forget about what I just said. The internal agent works.

jballiet4

5/17/2011

ASKER

Speed of applications are surprisingly slow. Will need to look into this.

setasoujiro

5/17/2011

what do you mean by slow?
what is the app, in what way is it slow?

jballiet4

5/17/2011

ASKER

when an application is called through PNAgent, it takes around 20-40 seconds to load completely. This is the same with the web interface. Its almost like something is having to timeout.

setasoujiro

5/17/2011

this is probably because of the agent trying to use "session reliability" and you are not accepting this
this is port 2598

jballiet4

5/17/2011

ASKER

just checked and the policy is not set. Could there be any other setting?

setasoujiro

5/17/2011

what do you mean the policy is not set?
on the .ica file or the receiving server?

jballiet4

5/17/2011

ASKER

my understanding is that session reliability is established through the policy editor for computers....
Capture.JPG

jballiet4

5/17/2011

ASKER

ok I found this...

http://support.citrix.com/article/CTX108439

setasoujiro

5/17/2011

yes this is true, but you should enable this.
and i suspect the ica client will always try to use SR this is why the negotiating takes so long?

jballiet4

5/17/2011

ASKER

Just did this...

1. Locate the default.ica file on the Web server hosting Web Interface 4.5 or 4.6. Default path - \inetpub\wwwroot\Citrix\AccessPlatform\conf\default.ica
2. By default, the CGPAddress= line should not be in this file – add the line in the [Application] section if it does not exist. This disables Session Reliablity.

jballiet4

5/17/2011

ASKER

I regressed and pulled CGPAddress= from the file

setasoujiro

5/17/2011

ok and all is well now?

jballiet4

5/17/2011

ASKER

yes

jballiet4

5/17/2011

ASKER

Thanks for your help

setasoujiro

5/17/2011

no problem ;-)

jballiet4

5/17/2011

ASKER

Do you happen to know how to forward all port 80 requests to 443 presumably in IIS?

setasoujiro

5/17/2011

rofl :) you have a lot of questions :)
depending on what you want this for...
http://www.iis-aid.com/articles/how_to_guides/redirect_http_to_https_iis_7
but as i said, you can't just do this for everything you want

jballiet4

5/17/2011

ASKER

I have no shame in asking questions. Thats why I pay for this service.