citrix web interface source


Follow me here.

Behind Firewall 1, I have a citrix web interface and xenapp servers.  I log into the web interface and get presented my applications. Application-1 is published on a xenapp server behind firewall 2.  
If I click on application-1, traffic needs to be permitted inbound on firewall 2 to reach the xenapp server.  My question is, what is traffic going to source out of? Will it source out of the WI server behind F1, the Xenapp behind Fw1, the client's own IP?

I'm a network engineer, not a citrix guy. This is just a question I've been wondering.
Who is Participating?
Dirk KotteConnect With a Mentor SECommented:
after the client has received the ICA file (how explained by Mutawadi) the client initiates the session.
the source-IP is the Client-IP(or the NATed public IP from his ISP).
The DIP is the IP of your Server (or his external public IP before your NAT)
SPORT is dynamic and DPORT 1494 (ICA) or 2598 (ICA with SessionReliability)

if you use a CitrixSecure Gateway (or Accessgateway) you have one connection (TCP443) from Client to CSG with Client-IP as source and a second connection (TCP 1494/2598) from CSG to your xenApp Servers with CSG as Source-IP...
1. make sure following ports are open to reach xenapp servers between firewalls.

2598 (is session reliability is enabled)

2. WI gives out the Citrix IP directly to the client devices in form of ICA, so client will get connected using the xenapp ip. Even if WI goes down, the existing sessions will not get affected as. If https is used, it also gives out a STA ticket along with ica file.

If NAT is used to translate between WI and Xenapp Servers, then additionally you have to go to Citrix web interface control, manage secure access section, which gives out an option to enter the translation information such external IP and external port, internal ip and internal port.
Ayman BakrSenior ConsultantCommented:
If you have firewall between your clients and XenApp servers then you need to open the ports 1494 and 2598 (session reliability) [I think basraj made a typo with 1498 instead of 1494] as the clients will be passed the direct IP through ICA of the XenApp servers. In addition you will require to open port 80 for communication with the Web Interface. However if the communication is over SSL then port 443 will need to be opened.

If you have a firewall between your XenApp servers and Licensing server then you will also need to open port 7279 (Citrix vendor deamon port) to be able to acquire Citrix licenses. and port 27000 (for license management).
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

trojan81Author Commented:
yes guys I'm aware of the ports. My question is about the source IP. What will it be sourcing from? Sourcing from the wi server, client's IP?
Ayman BakrConnect With a Mentor Senior ConsultantCommented:
I don't think I quite understand your question as I am not a network engineer. However for what it's worth I will describe the process by which the client contacts the XenApp server:

1. Client puts in the URL of the web interface, WI

2. The WI contacts the XML broker for authentication of the client and to provide with the list of applications published for the user

3. The client gets presented with the icons of the applications published for the user

4. Client clicks on an icon to launch the application

5. The web interface contacts the XML broker which will query the Data Collector (usually the Data Collectors are set to be the XML Brokers) to retrieve the least loaded XenApp server. This is passed through an ICA file to the client via the WI.

6. The client having the ICA file with the IP of the least loaded server will here on directly contact the XenApp server.
trojan81Author Commented:
Thank you guys. Yes indeed traffic sources from the client after it receives the ica file.
One thing to add..

basraj put up a quote here..
If https is used, it also gives out a STA ticket along with ica file.

This is not accurate.  The STA ticket is always used and has been for a long time (since the XML broker was first introduced).  

The ticket is 120 bit number that is unique and generated for each session.  The STA records the ticket generated, and the WI server embeds the ticket in the ICA file.  When the client initiates the session, it sends the ticket to the server which in turn sends it to the STA for validation.

Thanks for correcting Coralon..
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.