Citrix and NAT

[helsknight]

Environment:
MetaFrame XP
using NAT
Watch Guard firebox

I've set it up so that the altaddr was the public IP of the citrix server. So externally, everything works fine. Internally, our DNS records points the web address to the NAT of the server. So when the web interface access the site citrix.xxx.com everything is fine and authenticated. Once you click on the .ica's it's pointing to the public IP of the server. Which i was told by Watch Guard that internally you can't access your servers with a external address direct and to use the NAT address.

My questions, How do i config Citrix to assign the NAT ip address of the server if the web request was coming within our network?

So if it was working right, internally when i access the web interface and open the .ica files they would be pointing toward the NAT address and if i was external it would point to the public ip address.

Everything else works fine.

Thank you in advance!

Hels

 

[ascotta]

If I remember correctly in the admin area for your web site, you can specify IP ranges that see your internal IP, and everything else gets returned external IP.

[blue] A perspective from the other side!![/blue]

Cheers
Scott

 

[patrickrouse]

Sounds like your problem is the way you configured your DNS. Clients on the private network should not be addressing the alternate address, only clients on the public Internet should.

On your private network you should have DNS Host Records named "ica" pointing to your server's private addresses. Your private DNS does not need to have any knowledge of the alternate addresses.

The other option is to use two different WI, i.e. one internally for private clients and one in a DMZ for Internet Clients.



Patrick Rouse
Microsoft MVP - Terminal Server

http://www.sessioncomputing.com

 

[helsknight]

Patrick,

I have the internal DNS pointing the web address towards the internal address. The problem is once you're authenticated and try to access the application the .ica (if you right click and save the icon) file is pointing towards the altaddr. I believe this is because citrix is only returning the altaddr for the ica files.

How do you config two different web interface?

Thanks Hels

 

[helsknight]

in the wi admin, what is the Specific address translation settings, what is the "Client address prefix" for example, if i wanted 192.168.0.1 to 192.168.0.254 what do i have to specify? I've tried

192.168.0.0/24
192.168.0.
192.168.0.*
192.168.0.0
192.168.0.0-192.168.0.255/255.255.255.0

none work so far.

THanks

 

[patrickrouse]

You shouldn't have to have two different WI servers, but you might shoose to do so if you wanted Internet users to have to go thru the Secure Gateway. IN this case you'd have a WI & Secure Gateway server in a DMZ and a WI on the private network for private clients.

It sounds like your WI is configured incorrectly, as the alternate addresses should only be givin to Internet clients. Here are settings from a 3.x WI that work from the Internet and from the provate network:

Default address translation setting
Alternate address is selected

Specific Address Translation setting
Client Subnet, address & mask are blank
Normal Address is selected

Setting Map
network address/network mask = normal, i.e.
10.0.0.0/255.255.0.0 = normal

MetaFrame server address translation map
Server address = blank
Server Port = 1494
Translated address = blank
Translated Port = 1494




Patrick Rouse
Microsoft MVP - Terminal Server

http://www.sessioncomputing.com

 

[helsknight]

Thanks patrick,

I'll try that after hours. It seems changing the setting in the WI Admin affects the client agents internally also.