Link to home
Create AccountLog in
Avatar of digital0g1c
digital0g1c

asked on

Citrix access from mible receiver only works inside the firewall.

We are using Citrix ZenApp 6.5 and are having issues with the mobile clients connecting via the Citrix receiver from outside the firewall.  

Users can login from a computer remotely and access all applications through the WI, but when they use the mobile receiver, they are able to login (natively on the receiver) and see the published apps, but when they click on an app, it never downloads the connection file and spins for about 10 minutes and then times out.

If they happen to have an android device and have installed Firefox, they can go to the WI site and login, pick the application, it will pull up the Citrix Receiver app and then after 5 minutes (always 5 minutes) it will bring them to the server 2008R2 RDP login screen.  They did not pick RDP, they picked a published app.  Once they login to the RDP login, they have the desktop and can manually launch the app (as they are in an RDP session).  

The Mobile devices work fine from within the local network, this only happens when they are connecting over the internet.

I have verified firewall ports, 1494 is passing and working as the WI logged in users work just fine.   This is just and issue with the Mobile Receiver App.  I am using the latest version as of this posting.

What should I do to get the Mobile clients access from the internet.

On a side note, we are not using the Citrix Secure Gateway, rather a Cisco ASA for that NAT.
Avatar of Ayman Bakr
Ayman Bakr
Flag of United Arab Emirates image

On the mobile receiver side:
1. How are the account settings on your mobile receiver set?
2. Do you have Access Gateway turned off in the Citrix Access Gateway settings
3. What is ther version?

On the Web Interface server:
1. What is the Web Interface server version? (Android built-in browser supports 5.4, while Firefox for Android is known to support 5.2 or higher)
2. How are your services and web sites configured - please post the secure method?

On the Cisco ASA:
1. How is it configured for remote XenApp access?
Avatar of digital0g1c
digital0g1c

ASKER

On the mobile receiver side:
1. How are the account settings on your mobile receiver set?
      - We use XenAPP Services as the type, and public web address of the server for the address
2. Do you have Access Gateway turned off in the Citrix Access Gateway settings
     - The there is no access gateway, it is not installed
3. What is ther version?
     - Version 6.5

On the Web Interface server:
1. What is the Web Interface server version? (Android built-in browser supports 5.4, while Firefox for Android is known to support 5.2 or higher)
        - Version 6.5
2. How are your services and web sites configured - please post the secure method?
       - They are setup basically as defaults.   The mobile clients work fine behind the firewall with the same settings.

On the Cisco ASA:
1. How is it configured for remote XenApp access?
       - a NAT is setup for the Citrix server, and ports 80, 443, and the ICA port are open.
Version 6.5 is the version of XenApp servers. Web Interface versions I believe have not yet exceeded 6 (they will not as soon their end of life cycle is approaching).

Anyway, from what you mentioned in your last answer I believe that you are missing one more configuration on the web interface. As you are NAT'ing your XenApp servers on the Cisco ASA you need to setup Translated secure method on your web interface.

What you need to do basically is:
1. On the Web Interface change the default secure method to Translated.
2. Add another secure method as Direct for your internal users specifying the whole range of IP addresses on LAN used by your clients
3. Move the default (Translated secure method) to be the second in the list
4. Configure the default secure method as:
    a. specify Internal IP address of your XenApp server
    b. specify internal port as 1494
    c. specify External IP address of the XenApp server to be your public IP address
    d. specify External port as specified on your Cisco ASA for that XenApp server
    Repeat the above a, b, c and d for all your XenApp servers. Note that b and c values will be the same for all your XenApp servers, while a and d should be different and in line to what is configured on your Cisco ASA.
I do have the translated entry and the direct entry setup already.  The web interface works fine from remote, its only the mobile app that does not.
Within Web Interface, double check your XML/STA settings.  STA rechecks at approximately 5 minutes so sounds suspect.

Please take a look at the Managing Servers configuration.  Specifically, http://support.citrix.com/proddocs/topic/web-interface-impington/wi-specify-advanced-settings-gransden.html.  Also, remove load balancing: http://support.citrix.com/proddocs/topic/web-interface-impington/wi-enable-load-balancing-gransden.html.
I don't see STA?  Where is that?
User generated image
Locate 'Secure Access' on the right in your screenshot - or right click on your services site and select secure access. STA configurations are there.
Ok, that was setup as NAT translated and the translation was correct.  I switched it to alternate and setup an altaddr in the command window but that did not work ether.   So I switched it back.
Alternate will only work when you have a public IP for each XenApp server!! With one public IP and several XenApp servers you will use Translated.
We have a static IP for the zenapp server.   But it still did not work when I tried that.
Your static IP is still a private IP, not a public one. So alternate will not work.
No I have a static Pulbic IP just for this and I set it up on the server using the altaddr command and that is what still did not work.  I have the NAT setup on the firewall as well.
OK, I see. Anyhow, I believe Translated would be a better option despite the fact that it is ugly and NAT'ing is cumbersome. I would really prefer something more secure like NetScaler or Citrix Access Gateway.

Hope Joharder would have something to say.
ASKER CERTIFIED SOLUTION
Avatar of digital0g1c
digital0g1c

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
It is the correct Answer