Cannot connect MetaFrame XPs

[gtstangman35]

Hello,

I am having an interesting problem. I just set up a Citrix MetaFrame XPs box with Nfuse 1.8 and I am using the web to connect users to my published apps. Everything was working great when everyone was behind the firewall where the box was. But today I opened up all the ports Citrix says to use on my firewall (1494 tcp inc. 1604 udb inc. and 1023-65535 out tcp and udp) and the clients can connect to the initial page and they can even log in, but the cannot run any of the published apps. They receive either of the following messages:

"error 1030 cannot connect to the citrix server"

or after they click on the app it just keeps saying:

"connection in progress" and times out and states:
"There is no Citrix Server configured on the specified address"

Any ideas?

Thanks,
Wes H

 

[gbiello]

First, see if you can telnet to the Citrix server's public IP address on port 1494, and get an 'ICA--' response, which means you've set up the firewall properly.

Did you set up an alternate address on the Citrix server with the 'altaddr' command?

Next, did you configure NFuse to use the alternate address if the client is accessing the MF box from outside the firewall?

Finally, there is a 'Firewalls' check box that needs to be checked *sometimes* if you're coming in through a firewall. I can't think right now where you set it on NFuse administration, but it's easy to find if you're using Program Neighborhood.

hope this helps,
-gbiello

 

[gtstangman35]

Good Morning!

Thanks for the input! I looked at all my firewall setting and all seems to be correct. I have port 1494 tcp open to just my citrix box. When I am inside the firewall I can telnet to the box on 1494 and get a response, but when I am outside the firewall it does NOT get a response. I cannot see what I am doing wrong. I have 1494 forwarded right to the box. Do I need to have just a global hole in my firewall. I wanted to tighten it down and just allow tcp 1494 just to my citrix box. Also, about running altaddr, do I need to do that when the box only has 1 IP address and that is a routable address? When we first set up our network we were given 3 class C blocks of IP's so I use some of them for our webservers. It just makes it easier when NAT doesn't alwasy work. Any ideas?

 

[ikester]

Hi

Obviously this is a firewall related issue. Here is a link to a MSKB Article titled "How to Publish a Citrix Server Behind ISA Server". Maybe this will solve your problem (if you are using ISA) or give you some direction. From what little there is in your post you need to enable port forwarding, for this port, in order for this to work. So make sure your live IPs are in your LAT or it will never work. What is your firewall? The bottom line is you only need 1494 inbound and TCP only so it will be "fairly secure". I use complex passwords in my gpo and 128 bit encryption.
Ike

 

[gbiello]

What kind of firewall is it? If it is a PIX you can post your config in the PIX forum and one of us can have a look at it.

-gbiello

 

[gtstangman35]

It is a netscreen firewall, and I have since figured out the problem. It was due to the fact that I was only allowing source port 1494 and not 1024-65535. It seems that the client may come in on various ports but they all end up on port 1494. I am also thinking that I want to put the front end (NFuse) on the DMZ and the Citrix box inside the firewall. Is this the best practice?

Thanks,
Wes

 

[gbiello]

It certainly sounds good to me.