Link to home
Start Free TrialLog in
Avatar of trojan81
trojan81

asked on

citrix web interface source

Experts,

Follow me here.

Behind Firewall 1, I have a citrix web interface and xenapp servers.  I log into the web interface and get presented my applications. Application-1 is published on a xenapp server behind firewall 2.  
If I click on application-1, traffic needs to be permitted inbound on firewall 2 to reach the xenapp server.  My question is, what is traffic going to source out of? Will it source out of the WI server behind F1, the Xenapp behind Fw1, the client's own IP?

I'm a network engineer, not a citrix guy. This is just a question I've been wondering.
Avatar of basraj
basraj
Flag of India image

1. make sure following ports are open to reach xenapp servers between firewalls.

1498
2598 (is session reliability is enabled)

2. WI gives out the Citrix IP directly to the client devices in form of ICA, so client will get connected using the xenapp ip. Even if WI goes down, the existing sessions will not get affected as. If https is used, it also gives out a STA ticket along with ica file.

If NAT is used to translate between WI and Xenapp Servers, then additionally you have to go to Citrix web interface control, manage secure access section, which gives out an option to enter the translation information such external IP and external port, internal ip and internal port.
Avatar of Ayman Bakr
If you have firewall between your clients and XenApp servers then you need to open the ports 1494 and 2598 (session reliability) [I think basraj made a typo with 1498 instead of 1494] as the clients will be passed the direct IP through ICA of the XenApp servers. In addition you will require to open port 80 for communication with the Web Interface. However if the communication is over SSL then port 443 will need to be opened.

If you have a firewall between your XenApp servers and Licensing server then you will also need to open port 7279 (Citrix vendor deamon port) to be able to acquire Citrix licenses. and port 27000 (for license management).
Avatar of trojan81
trojan81

ASKER

yes guys I'm aware of the ports. My question is about the source IP. What will it be sourcing from? Sourcing from the wi server, client's IP?
SOLUTION
Avatar of Ayman Bakr
Ayman Bakr
Flag of United Arab Emirates image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you guys. Yes indeed traffic sources from the client after it receives the ica file.
One thing to add..

basraj put up a quote here..
If https is used, it also gives out a STA ticket along with ica file.

This is not accurate.  The STA ticket is always used and has been for a long time (since the XML broker was first introduced).  

The ticket is 120 bit number that is unique and generated for each session.  The STA records the ticket generated, and the WI server embeds the ticket in the ICA file.  When the client initiates the session, it sends the ticket to the server which in turn sends it to the STA for validation.

Coralon
Thanks for correcting Coralon..