Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Need HELP Setting Outside IP 1
- Thread starter rmcp2k
- Start date
-
1
- #2
The preferred way to do this is to use Citrix Access Gateway or Secure Gateway. Access Gateway is a hardware box that sits in the DMZ of your firewall and is an SSL VPN device.
Secure Gateway does a similar job but uses software installed on a Windows server. It acts as a broker between the server farm and the internet. This can be more costly and less secure (I think the entry price level for an Access Gateway is around $2000 US, whereas SG needs hardware, SSL certificates and more service time to configure etc.)
Alternatively, you could use VPN's if your firewall supports it, but this may require some software to be installed on each client device that needs access.
The only other option is to put the Citrix server on to the internet, either by assigning a public IP address to the NIC, or by opening ports on your firewall. This is not to be recommended!!!! It will leave your entire network open to attack.
The choice really comes down to price, but I would strongly recommend the Access Gateway. Not only will it give you the functionality you need (accessing a Citrix farm), it will also allow you to have secure acccess to the network for other services, e.g. mail, file servers, and even VoIP! It's cheap and secure and fairly easy to configure (and no, I'm not on commission from Citrix ;o))
Secure Gateway does a similar job but uses software installed on a Windows server. It acts as a broker between the server farm and the internet. This can be more costly and less secure (I think the entry price level for an Access Gateway is around $2000 US, whereas SG needs hardware, SSL certificates and more service time to configure etc.)
Alternatively, you could use VPN's if your firewall supports it, but this may require some software to be installed on each client device that needs access.
The only other option is to put the Citrix server on to the internet, either by assigning a public IP address to the NIC, or by opening ports on your firewall. This is not to be recommended!!!! It will leave your entire network open to attack.
The choice really comes down to price, but I would strongly recommend the Access Gateway. Not only will it give you the functionality you need (accessing a Citrix farm), it will also allow you to have secure acccess to the network for other services, e.g. mail, file servers, and even VoIP! It's cheap and secure and fairly easy to configure (and no, I'm not on commission from Citrix ;o))
- Thread starter
- #3
If you have VPN access, you should just be able to hit the internal IP of the Citrix server. No altaddr required! If you didn't have a VPN, you could setup the Citrix server with Web Interface and an alt address. Configure the altaddr to be the same as your external IP and configure the firewall to pass traffic on 1494/2598 (depending on whether you are using session reliability) to your Citrix farm. Then tell WI to return the altaddr instead of the real address. That will do it, but be warned that this is very insecure and you're leaving your network open to attack!
Hope this helps.
Hope this helps.
- Thread starter
- #5
thank you for your help. Here is what i did from your suggestion:
command: altraddr 69.x.x.x /setup
from WI under "DMZ settings" i put in 69.x.x.x, mask: 255.255.255.255 and Method "Alternate".
On the DMZ i open port 1494 and 2598
Hope what iam doing is correct?
Also will this effects intranet users accessing citrix? I have not put this server on the DMZ yet.
thank you
command: altraddr 69.x.x.x /setup
from WI under "DMZ settings" i put in 69.x.x.x, mask: 255.255.255.255 and Method "Alternate".
On the DMZ i open port 1494 and 2598
Hope what iam doing is correct?
Also will this effects intranet users accessing citrix? I have not put this server on the DMZ yet.
thank you
The Altaddr command should be altaddr /set 69.x.x.x
This will tell the CTX server what it's alternate address is. By setting the WI DMZ setting to Alternate, you tell the WI to request the alternate address from the CTX server when it asks for the location of the requested app.
As you have specified the client IP range and mask, you tell WI to only return the alternate address for clients that belong to that subnet (although by setting the mask to 255.255.255.255 you tell it to look at only that one host - presumably that is the IP of the firewall DMZ interface) This should mean that intranet users will be unaffected, as they will not belong to this range. You are then opening up the firewall for ports 1494 and 2598.
Provided the firewall is configured to tunnel the traffic to the alternate address, you should be set. It really depends on your firewall configuration, but from the CTX side, you should be fine with that config.
Are you happy with the firewall setup? There are lots of ways to do that, but I could send you a diagram if that would be helpful?
This will tell the CTX server what it's alternate address is. By setting the WI DMZ setting to Alternate, you tell the WI to request the alternate address from the CTX server when it asks for the location of the requested app.
As you have specified the client IP range and mask, you tell WI to only return the alternate address for clients that belong to that subnet (although by setting the mask to 255.255.255.255 you tell it to look at only that one host - presumably that is the IP of the firewall DMZ interface) This should mean that intranet users will be unaffected, as they will not belong to this range. You are then opening up the firewall for ports 1494 and 2598.
Provided the firewall is configured to tunnel the traffic to the alternate address, you should be set. It really depends on your firewall configuration, but from the CTX side, you should be fine with that config.
Are you happy with the firewall setup? There are lots of ways to do that, but I could send you a diagram if that would be helpful?
- Thread starter
- #7
No problem, but could you send me a diagram with your current setup, indicating which ports are opened etc? (obviously remove the actual IP's and replace with dummy ones - can't be too careful these days! ;o))
Do you have an email address I can contact you on?
Do you have an email address I can contact you on?
- Status
Similar threads
- Locked
- Question
- Locked
- Question