Allow Citrix Xenapp 6 access outside of firewall

jballiet4
jballiet4 used Ask the Experts™
on
I have installed Citrix Xenapp 6 on a standalone server behind my watchguard firewall. The firewall is NATing the internal IP. I also installed a server certificate on the XenApp server. I configured web interface and PNAgent access on 443. Everything works fine internally. I am using direct secure access for web and pnagent.

The problem is with access from outside the firewall. I have created an ACL that allows all specified ports... 443,1494,2598,2512,2513,8080. on the firewall with no success. The only exception is that I can authenticate on the website and pnagent client. When I run an application, the application trys to start but then fails. I believe this has something to do with the application trying to use some random high port which the firewall does not know about.

Any help would be greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
i think the problem is that you are not using an alternare address.
on the xenapp webserver-->web interface management-->xenapp sites(left pane-->secure access tab-->edit secure settings-->, enter alternate as default way to connect, then direct as secondary(enter the ip addresses for your internal lans.

then on the xenapp application servers do -->cmd-->altaddr <yourwanip> /set
this way the ica file will contain your wanIP to connect to.
if you use direct connection, it will only work internally or when the xenapp has a public ip.

if this doesn't resolve the issue then please check your firewall logs

Author

Commented:
Ok. So that solution appears to almost work. Here are the results...

Outside Web: Works
Outside Agent: Works
Inside Web: Works
Inside Agent: DOES NOT WORK

Here is the configuration for the agent. Do you have any ideas on how to troubleshoot the inside agent issue?

   
Capture.JPG

Author

Commented:
forget about what I just said. The internal agent works.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Speed of applications are surprisingly slow. Will need to look into this.
what do you mean by slow?
what is the app, in what way is it slow?

Author

Commented:
when an application is called through PNAgent, it takes around 20-40 seconds to load completely. This is the same with the web interface. Its almost like something is having to timeout.
this is probably because of the agent trying to use "session reliability" and you are not accepting this
this is port 2598

Author

Commented:
just checked and the policy is not set. Could there be any other setting?
what do you mean the policy is not set?
on the .ica file or the receiving server?

Author

Commented:
my understanding is that session reliability is established through the policy editor for computers....
Capture.JPG
yes this is true, but you should enable this.
and i suspect the ica client will always try to use SR this is why the negotiating takes so long?

Author

Commented:
Just did this...

1. Locate the default.ica file on the Web server hosting Web Interface 4.5 or 4.6. Default path - \inetpub\wwwroot\Citrix\AccessPlatform\conf\default.ica
2. By default, the CGPAddress= line should not be in this file – add the line in the [Application] section if it does not exist. This disables Session Reliablity.

Author

Commented:
I regressed and pulled CGPAddress= from the file
ok and all is well now?

Author

Commented:
yes

Author

Commented:
Thanks for your help
no problem ;-)

Author

Commented:
Do you happen to know how to forward all port 80 requests to 443 presumably in IIS?
rofl :) you have a lot of questions :)
depending on what you want this for...
http://www.iis-aid.com/articles/how_to_guides/redirect_http_to_https_iis_7
but as i said, you can't just do this for everything you want

Author

Commented:
I have no shame in asking questions. Thats why I pay for this service.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial