Accessing a 3rd Party's Citrix environment via NAT

We have a requirement to access a customers Citrix environment.
This is achieved by targetting their web access servers.
Once authenticated, the apps are presented, clicking the app results in the .ica file being generated and downloaded by the client.

This query is regarding the fact that the true Citrix Presentation Server IP is presented back to us within the ICA file. We can accommodate routing to their real address at present, however this will soon change and I'm looking at what options are available.

As this is a 3rd parties Citrix farm, I obviously cannot make changes directly, so first of all I'm looking to see if there are any options which do not involve the customer?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian CTXSupportCitrix ConsultantCommented:
At a minimum they need to look at Secure Gateway or Access Gateway, or a VPN solution.  Due to the security implications, I won't instruct you how to create a publicly facing NAT, although it sounds like their security practices are questionable.
Citrix built in support for this a *long* time ago, but many people have forgotten about it.  

As Brian mentioned, they really should put up a CSG or Netscaler gateway.  These are the ideal solutions. However, if you *have* to access the servers directly through a NAT, then they can use the altaddr.exe utility to set an Alternate Address.  

The administrator puts in the external address using altaddr.   When you connect to their site, make sure that you are requesting the alternate address in the file (they configure that on the web servers).  They can also set up port translation with a single address.  With that, they would configure different TCP ports for each the backend servers.  When you get the ICA file, it will contain the primary NAT address with the port to connect to.  Then their firewall/etc. takes the alternate port traffic and forwards the traffic to the correct server on port 1494.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian CTXSupportCitrix ConsultantCommented:
Should give credit to Coralon.  The altaddr response is the correct answer, though the secure options should be considered first.
drm256Author Commented:
Hi Brian, I did try to award to you both, but I didn't mange it somehow.
Sorry Coralon.
Brian CTXSupportCitrix ConsultantCommented:
Cool, thanks!  Mods should be able to fix it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.