[Webinar] Learn how to a build a cloud-first strategyRegister Now


citrix web interface source

Posted on 2012-08-27
Medium Priority
Last Modified: 2012-08-28

Follow me here.

Behind Firewall 1, I have a citrix web interface and xenapp servers.  I log into the web interface and get presented my applications. Application-1 is published on a xenapp server behind firewall 2.  
If I click on application-1, traffic needs to be permitted inbound on firewall 2 to reach the xenapp server.  My question is, what is traffic going to source out of? Will it source out of the WI server behind F1, the Xenapp behind Fw1, the client's own IP?

I'm a network engineer, not a citrix guy. This is just a question I've been wondering.
Question by:trojan81
  • 2
  • 2
  • 2
  • +2
LVL 19

Expert Comment

ID: 38339671
1. make sure following ports are open to reach xenapp servers between firewalls.

2598 (is session reliability is enabled)

2. WI gives out the Citrix IP directly to the client devices in form of ICA, so client will get connected using the xenapp ip. Even if WI goes down, the existing sessions will not get affected as. If https is used, it also gives out a STA ticket along with ica file.

If NAT is used to translate between WI and Xenapp Servers, then additionally you have to go to Citrix web interface control, manage secure access section, which gives out an option to enter the translation information such external IP and external port, internal ip and internal port.
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38339937
If you have firewall between your clients and XenApp servers then you need to open the ports 1494 and 2598 (session reliability) [I think basraj made a typo with 1498 instead of 1494] as the clients will be passed the direct IP through ICA of the XenApp servers. In addition you will require to open port 80 for communication with the Web Interface. However if the communication is over SSL then port 443 will need to be opened.

If you have a firewall between your XenApp servers and Licensing server then you will also need to open port 7279 (Citrix vendor deamon port) to be able to acquire Citrix licenses. and port 27000 (for license management).

Author Comment

ID: 38341317
yes guys I'm aware of the ports. My question is about the source IP. What will it be sourcing from? Sourcing from the wi server, client's IP?

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 23

Assisted Solution

by:Ayman Bakr
Ayman Bakr earned 1000 total points
ID: 38341987
I don't think I quite understand your question as I am not a network engineer. However for what it's worth I will describe the process by which the client contacts the XenApp server:

1. Client puts in the URL of the web interface, WI

2. The WI contacts the XML broker for authentication of the client and to provide with the list of applications published for the user

3. The client gets presented with the icons of the applications published for the user

4. Client clicks on an icon to launch the application

5. The web interface contacts the XML broker which will query the Data Collector (usually the Data Collectors are set to be the XML Brokers) to retrieve the least loaded XenApp server. This is passed through an ICA file to the client via the WI.

6. The client having the ICA file with the IP of the least loaded server will here on directly contact the XenApp server.
LVL 24

Accepted Solution

Dirk Kotte earned 1000 total points
ID: 38342124
after the client has received the ICA file (how explained by Mutawadi) the client initiates the session.
the source-IP is the Client-IP(or the NATed public IP from his ISP).
The DIP is the IP of your Server (or his external public IP before your NAT)
SPORT is dynamic and DPORT 1494 (ICA) or 2598 (ICA with SessionReliability)

if you use a CitrixSecure Gateway (or Accessgateway) you have one connection (TCP443) from Client to CSG with Client-IP as source and a second connection (TCP 1494/2598) from CSG to your xenApp Servers with CSG as Source-IP...

Author Closing Comment

ID: 38342773
Thank you guys. Yes indeed traffic sources from the client after it receives the ica file.
LVL 25

Expert Comment

ID: 38343967
One thing to add..

basraj put up a quote here..
If https is used, it also gives out a STA ticket along with ica file.

This is not accurate.  The STA ticket is always used and has been for a long time (since the XML broker was first introduced).  

The ticket is 120 bit number that is unique and generated for each session.  The STA records the ticket generated, and the WI server embeds the ticket in the ICA file.  When the client initiates the session, it sends the ticket to the server which in turn sends it to the STA for validation.

LVL 19

Expert Comment

ID: 38344272
Thanks for correcting Coralon..

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop, Citrix Studio, Citrix Policies, Citrix XenApp
Citrix XenDesktop 7.6 Citrix Policies Audio
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question