citrix web interface source

Posted on 2012-08-27
Last Modified: 2012-08-28

Follow me here.

Behind Firewall 1, I have a citrix web interface and xenapp servers.  I log into the web interface and get presented my applications. Application-1 is published on a xenapp server behind firewall 2.  
If I click on application-1, traffic needs to be permitted inbound on firewall 2 to reach the xenapp server.  My question is, what is traffic going to source out of? Will it source out of the WI server behind F1, the Xenapp behind Fw1, the client's own IP?

I'm a network engineer, not a citrix guy. This is just a question I've been wondering.
Question by:trojan81
    LVL 19

    Expert Comment

    1. make sure following ports are open to reach xenapp servers between firewalls.

    2598 (is session reliability is enabled)

    2. WI gives out the Citrix IP directly to the client devices in form of ICA, so client will get connected using the xenapp ip. Even if WI goes down, the existing sessions will not get affected as. If https is used, it also gives out a STA ticket along with ica file.

    If NAT is used to translate between WI and Xenapp Servers, then additionally you have to go to Citrix web interface control, manage secure access section, which gives out an option to enter the translation information such external IP and external port, internal ip and internal port.
    LVL 23

    Expert Comment

    by:Ayman Bakr
    If you have firewall between your clients and XenApp servers then you need to open the ports 1494 and 2598 (session reliability) [I think basraj made a typo with 1498 instead of 1494] as the clients will be passed the direct IP through ICA of the XenApp servers. In addition you will require to open port 80 for communication with the Web Interface. However if the communication is over SSL then port 443 will need to be opened.

    If you have a firewall between your XenApp servers and Licensing server then you will also need to open port 7279 (Citrix vendor deamon port) to be able to acquire Citrix licenses. and port 27000 (for license management).

    Author Comment

    yes guys I'm aware of the ports. My question is about the source IP. What will it be sourcing from? Sourcing from the wi server, client's IP?
    LVL 23

    Assisted Solution

    by:Ayman Bakr
    I don't think I quite understand your question as I am not a network engineer. However for what it's worth I will describe the process by which the client contacts the XenApp server:

    1. Client puts in the URL of the web interface, WI

    2. The WI contacts the XML broker for authentication of the client and to provide with the list of applications published for the user

    3. The client gets presented with the icons of the applications published for the user

    4. Client clicks on an icon to launch the application

    5. The web interface contacts the XML broker which will query the Data Collector (usually the Data Collectors are set to be the XML Brokers) to retrieve the least loaded XenApp server. This is passed through an ICA file to the client via the WI.

    6. The client having the ICA file with the IP of the least loaded server will here on directly contact the XenApp server.
    LVL 22

    Accepted Solution

    after the client has received the ICA file (how explained by Mutawadi) the client initiates the session.
    the source-IP is the Client-IP(or the NATed public IP from his ISP).
    The DIP is the IP of your Server (or his external public IP before your NAT)
    SPORT is dynamic and DPORT 1494 (ICA) or 2598 (ICA with SessionReliability)

    if you use a CitrixSecure Gateway (or Accessgateway) you have one connection (TCP443) from Client to CSG with Client-IP as source and a second connection (TCP 1494/2598) from CSG to your xenApp Servers with CSG as Source-IP...

    Author Closing Comment

    Thank you guys. Yes indeed traffic sources from the client after it receives the ica file.
    LVL 23

    Expert Comment

    One thing to add..

    basraj put up a quote here..
    If https is used, it also gives out a STA ticket along with ica file.

    This is not accurate.  The STA ticket is always used and has been for a long time (since the XML broker was first introduced).  

    The ticket is 120 bit number that is unique and generated for each session.  The STA records the ticket generated, and the WI server embeds the ticket in the ICA file.  When the client initiates the session, it sends the ticket to the server which in turn sends it to the STA for validation.

    LVL 19

    Expert Comment

    Thanks for correcting Coralon..

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    NetScaler load balancer for Linux containers

    Get all the features you need to load balance your containerized microservices applications from NetSCaler CPX Express. Integrated with Google Kubernetes, Docker Swarm, and Apache Mesos container management systems.  Supported by Citrix. Free trial version. Deploy in minutes.

    #Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
    Citrix XenDesktop 7.6 Citrix Policies Audio
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now