Clients behind firewallsSteve, If you are using TCP/IP you might check to see if UDP port 1604 is open. Also, When a client wants to connect to a particular Citrix MetaFrame server, after it knows the server's IP address, it will address the server on port 1494. The server will respond to the client on 1494 and assign it a port number in the "high port" range (1023-65534) for further communication. Each client that attaches to a single server is assigned a different "high port" number after the initial connection establishment. In this way, the Citrix MetaFrame server can differentiate between which clients it is conversing with, because each client continues communication with the Citrix MetaFrame server using a different source "high port" number, but the destination port number will remain at 1494 throughout the conversation. Depending on your firewall, you might have to manually open up this "high port" range to your Citrix MetaFrame server, in addition to the standard TCP 1494 connection port for your ICA clients to be able to communicate with the Citrix MetaFrame server. Hope this helps, Mike -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Rosa,Steve,BRUSSELS,GLOBE Center EUR-ITOC Sent: Thursday, November 04, 2004 7:06 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Clients behind firewalls Mike, These clients are connecting via TCP-IP only. They connect to the ZDC's via IP addresses, not FQDN, as this 3rd party site has no connection with our DNS infrastructure. The box for XML DNS Address Resolution is not checked. Steve -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Mike Semon Sent: 04 November 2004 13:51 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Clients behind firewalls If you are using Program Neighborhood you may receive this error if you are connecting via HTTP+TCP. The client cannot resolve the FQDN of the Metaframe Server. Try adding an entry to the host file of the client device or in the Management Console deselect enable XML DNS Address Resolution under the farm properties. -Mike -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Rosa,Steve,BRUSSELS,GLOBE Center EUR-ITOC Sent: Thursday, November 04, 2004 2:19 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Clients behind firewalls Hi there, Environment: MF XP1.0 on Windows 2000 We have a couple of users who connect from a 3rd party site. Between this site and the server farm, firewalls have been put in place and rules have been created to allow the Citrix traffic. Our farm consists of 20 servers. These clients should only connect to 6 of the servers (2 are dedicated data collectors and 4 are actual load balanced application servers), therefore firewall is open only to these 4 boxes. When the users connect via the Program Neighbourhood, they get the error message "Cannot connect to the Citrix MetaFrame server. There is no route to the specified subnet address". The issue is not critical as refreshing 3 times usually clears the issue however it is annoying. I received some network trace logs which clearly show that the clients try to connect to servers where they should not. I assume a quick workaround would be to add all the servers in the firewall rules, but I would rather know what is really going on. Has anyone a clear view on this? Thanks! Steve Rosa Platform Services - Technology - Senior System Engineer Nestlé European Information Technology Operations Center (ITOC) S.A. Rue de Birmingham, 221 - B-1070 Brussels (Belgium) Phone : +32 2 529 68 35 - Fax : +32 2 529 55 95 Mobile : +32 477 770 772 E-Mail : mailto:steve.rosa@xxxxxxxxxxxxxx