ICA connection via Firewall

[mccalia1]

I have a problem which I hope someone can assist with.

ICA client connecting to a Citrix Server via a Firewall.

Citrix Server has both Internal IP, used for LAN purposes and External IP for public internet access.

We have opened Ports 1494 & 1604 TCP & UDP.

ICA Client can connect through to the external IP and receive a Windows 2000 Logon displaying the correct domain and local server name.

The problem is that if I use a domain account or local administrator account on the Citrix connection, I get a message saying I do not have access to logon...even though when I am on the local LAN without the firewall I am able to logon with the same user name and password. I have checked the RDP Connection and the user has permissions.

Any ideas?

 

[mccalia1]

Sorry this is Citrix Metaframe XP

 

[KCDave03]

i'm not sure i'm clear on what you are describing but
in short, it sounds like you need to check the permissions on the ICA connection settings and/or the RDP connection settings. it's not clear to me which you are having trouble with.

 

[mccalia1]

When I run the ICA Client from behind the firewall, I receive a Windows Logon which I enter my credentials. This should authenticate me but it doesn't.

The problem I am having is that when I enter my domain ID or local administrator account, it's denying me access with the Windows Warning message of "You are not authorised to logon"

When I try running the ICA Client in front of the Firewall, I am able to authenticate and logon.

I have checked both ICA & RDP connection settings and these are configured correctly.

Please let me know if you need further information

 

[KCDave03]

when you successfully logon in front of the firewall, are you using the web client or the fat client? are you using the same client from the backend?

 

[mccalia1]

In front of the Firewall, I have used the Web Client (Via IE) and the Fat Client. By fat client I assume it's the metaframe client which requires configuration in order to connect. Both have worked flawlessly.

Behind the Firewall, we are not using the Web Client, only the metaframe client.

thanks.

 

[KCDave03]

what stands out to me is that you have two network interfaces where one is hosting Citrix services for the net but the other does not appear to be. there may be an issue with the server routing packets to the correct interface. do you have more than one default gateway defined?

 

[mccalia1]

yes, i have one local ip address used on the local subnet and i have one external ip address NAT'ed.

I don't have more than one default gateway, not that i am aware of. My Network Engineer set this up.

Any ideas of questions i should ask him?

 

[KCDave03]

it may be that the packets that you're trying to direct at the local interface are being lost on the route. whenever I use more than 1 interface on a server, i usually just let 1 be the primary interface with a defined default gateway. to handle traffic on the others, i edit the local route table on the server.

 

[ctxuser]

Hi MCalia1,
Two more things I can think of. Java Runtime 1.4.5 or 1.5 version need to be installed on the webclient pc when connecting to the nfuse from the internet. Also check the remote desktop users group on the Citrix Servers to ensure that the doamin users are in the group. Try ping your doamin name i.e. doamin.com from the nfuse box to ensure connectivity. Ensure Explicit loggin is selected via the Authentication page of the Nfuse wiadmin url.
From the firewall box ping your doamin.com and backend citrix servers for connectivity. And finally check the version of terminal server license server i.e. 2003 or 2000. Post us your findings..

Sometimes, you just have to forget your head and grab your balls ...!

 

[ctxuser]

Oh ! Telneting the backend servers e.g. citrix server 1494 ports and ica ports from "behind the firewall" might also be useful just for testing...

Sometimes, you just have to forget your head and grab your balls ...!

 

[mccalia1]

Hello, on the PC behind the firewall, I am not using the Web Client, therefore I don't think i'll need the Java Runtime installed. The Citrix Server is W2k so it doesn't have a Remote Desktop user group. ICMP is disabled on the Port so when a Ping is initialised it does not respond.
I have also telnetting to the Citrix box from behind the box and it's disabled so no response!!

Any other suggestions?

 

[mccalia1]

I have just read the following statement from a website

"Set the Public IP for the Citrix MetaFrame Servers
Whether residing on the DMZ, or the local LAN. Let's also say, the Public IP is 123.123.123.1 On the Citrix Servers you need to run the altaddr command, to tell the servers to respond with the Public address, if needed.
On the command line run: altaddr /set 123.123.123.1"

I have a public IP which is NAT'ed to the internal LAN address. Would the public address need to be set?

The Client would connect through to the public IP. If the Citrix box does not know about the Public IP, would this cause the connection to be denied?

 

[KCDave03]

yes you would but it seems to me that you might still have an issue because for now, it seems that you have the Citrix server configured to the public address and NOT the local LAN. that may be why it won't respond on the local LAN address. we have an older farm on our network which uses it's local LAN address to host Citrix and our clients use a NAT'd IP to access the farm. so we have implemented the "altaddr" util so that the server will respond appropriately when the clients use the NAT'd IP. you seem to have your server setup in the opposite way.

 

[mccalia1]

It must be my writing, I have our setup the same way as you do!
Do you need port 3389 open for terminal services licensing? someone has mentioned that it may need to be opened to issue a CAL to the Remote Workstation...bearing in mind this workstation has never accessed our LAN/Citrix box before...

Sorry if it's going off course...