[THIN] Re: Clients behind firewalls
- From: "Mike Semon" <msemon@xxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 4 Nov 2004 07:40:19 -0600
Clients behind firewallsSteve,
If you are using TCP/IP you might check to see if UDP port 1604 is open.
Also, When a client wants to connect to a particular Citrix MetaFrame
server, after it knows the server's IP address, it will address the server
on port 1494. The server will respond to the client on 1494 and assign it a
port number in the "high port" range (1023-65534) for further communication.
Each client that attaches to a single server is assigned a different "high
port" number after the initial connection establishment. In this way, the
Citrix MetaFrame server can differentiate between which clients it is
conversing with, because each client continues communication with the Citrix
MetaFrame server using a different source "high port" number, but the
destination port number will remain at 1494 throughout the conversation.
Depending on your firewall, you might have to manually open up this "high
port" range to your Citrix MetaFrame server, in addition to the standard TCP
1494 connection port for your ICA clients to be able to communicate with the
Citrix MetaFrame server.
Hope this helps,
Mike
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf
Of Rosa,Steve,BRUSSELS,GLOBE Center EUR-ITOC
Sent: Thursday, November 04, 2004 7:06 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Clients behind firewalls
Mike,
These clients are connecting via TCP-IP only. They connect to the ZDC's
via IP addresses, not FQDN, as this 3rd party site has no connection with
our DNS infrastructure.
The box for XML DNS Address Resolution is not checked.
Steve
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Mike Semon
Sent: 04 November 2004 13:51
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Clients behind firewalls
If you are using Program Neighborhood you may receive this error if you
are connecting via HTTP+TCP. The client cannot resolve the FQDN of the
Metaframe Server. Try adding an entry to the host file of the client device
or
in the Management Console deselect enable XML DNS Address Resolution
under the farm properties.
-Mike
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Rosa,Steve,BRUSSELS,GLOBE Center EUR-ITOC
Sent: Thursday, November 04, 2004 2:19 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Clients behind firewalls
Hi there,
Environment: MF XP1.0 on Windows 2000
We have a couple of users who connect from a 3rd party site. Between
this site and the server farm, firewalls have been put in place and rules
have been created to allow the Citrix traffic. Our farm consists of 20
servers. These clients should only connect to 6 of the servers (2 are
dedicated data collectors and 4 are actual load balanced application
servers), therefore firewall is open only to these 4 boxes.
When the users connect via the Program Neighbourhood, they get the
error message "Cannot connect to the Citrix MetaFrame server. There is no
route to the specified subnet address".
The issue is not critical as refreshing 3 times usually clears the
issue however it is annoying. I received some network trace logs which
clearly show that the clients try to connect to servers where they should
not.
I assume a quick workaround would be to add all the servers in the
firewall rules, but I would rather know what is really going on.
Has anyone a clear view on this?
Thanks!
Steve Rosa
Platform Services - Technology - Senior System Engineer
Nestlé European Information Technology Operations Center (ITOC) S.A.
Rue de Birmingham, 221 - B-1070 Brussels (Belgium)
Phone : +32 2 529 68 35 - Fax : +32 2 529 55 95
Mobile : +32 477 770 772
E-Mail : mailto:steve.rosa@xxxxxxxxxxxxxx
Other related posts:
