Tried auto (default) but it doesn't work, because then my ISA Web Proxy clients (they are picking up the proxy server settings via dhcp auto discovery, fyi) can't use WI. If I leave it to auto, I have to set anyone here on the LAN with ISA to not have be on auto discovery with no proxy settings specified in the IE connection tab. Putting it to client solved that problem. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Tuesday, November 02, 2004 2:51 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled Oh and change your proxy settings to Auto instead of client. Jeff Pitsch -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Evan Mann Sent: Tuesday, November 02, 2004 2:12 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled Really nothing private in there: # The UnrestrictedSessionFields property controls which session fields can # be set by user supplied data. All session fields can be made unrestricted # by commenting out this property. UnrestrictedSessionFields=NFuse_Application,NFuse_AppCommandLine,NFuse_U ser,NFuse_Domain,NFuse_Password,NFuse_LogonMode,NFuse_ClientName,NFuse_W indowType,NFuse_WindowWidth,NFuse_WindowHeight,NFuse_WindowScale,NFuse_W indowColors,NFuse_EncryptionLevel,NFuse_ICAAudioType,NFuse_SoundType,NFu se_VideoType,NFuse_COMPortMapping,NFuse_ClientPrinting, NFuse_HostId, NFuse_HostIdType, NFuse_SessionId, NFuse_Template SessionFieldLocations=PNAgent,Script,Template,Properties,Url,Post,Cookie Timeout=60 Version=3.0 AlternateAddress=Mapped CacheExpireTime=3600 SessionField.NFuse_TicketTimeToLive=200 AllowCustomizeWinSize=On AllowCustomizeWinColor=Off AllowCustomizeAudio=Off AllowCustomizeSettings=On AddressResolutionType=IPv4-port OtherClient=default #OverrideClientInstallCaption=[Place your text here] Win32Client=Click here to install the Citrix client&Citrix/ICAWEB/en/ica32/ica32t.exe Win16Client=default SolarisUnixClient=default MacClient=default SgiUnixClient=default HpUxUnixClient=default IbmAixClient=default ScoUnixClient=default Tru64Client=default LinuxClient=default LoginType=Default #LoginDomains=[Place your domain here] #RestrictDomains=Off #HideDomainField=Off #UPNSuffixes=[Place your UPN suffixes here] #NDSTreeName=[For NDS logins place NDS Tree name here, and also change LoginType to NDS] #SearchContextList=[NDS context1, NDS context2, ...] AuthenticationMethods=Explicit #ClientAddressMap=[clientAddress,AddressType,clientAddress,AddressType,. ..] #ServerAddressMap=[normalAddress,translatedAddress,normalAddress,transla tedAddress,...] #InternalServerAddressMap=[normalAddress,translatedAddress,normalAddress ,translatedAddress,...] #ClientProxy=[clientAddress,proxyType,proxyAddress,clientAddress,proxyTy pe,proxyAddress,...] EnableSTALoadBalancing=On AllowUserPasswordChange=Always AutoDeployWebClient=On IcaWebClientVersion=8,0,24737,0 RdpWebClientVersion=5,2,3790 RdpWebClientClassID=7584c670-2274-4efb-b00b-d6aaba6d3850 IcaWebClient=wficat.cab RdpWebClient=msrdp.cab IcaWebClientClassID=238f6f83-b8b4-11cf-8771-00a024541ee3 ShowClientInstallCaption=Auto RequestICAClientSecureChannel=Detect-AnyCiphers LaunchClients=Ica-Local,Ica-Embedded,Ica-Java,Rdp-Embedded LaunchMethod=Ica-Local AllowCustomizeClients=Off JavaClientPackages=SecureICA,PrinterMapping,ConfigUI AllowCustomizeJavaClientPackages=Off IgnoreClientProvidedClientAddress=Off AdditionalExplicitAuthentication=None SessionField.NFuse_Farm1=localhost,Name:Farm1,XMLPort:80,Transport:HTTP, SSLRelayPort:443,BypassDuration:60,LoadBalance:On EnableLegacyICAClientSupport=On ReconnectAtLogin=DisconnectedAndActive AllowCustomizeReconnectAtLogin=On ReconnectButton=DisconnectedAndActive AllowCustomizeReconnectButton=On EnableLogoffApplications=On AllowCustomizeLogoff=On EnableWorkspaceControl=On HideDomainField=On LoginDomains=orlando1 ClientProxy=*,Client,- ClientAddressMap=10.1.0.0/255.255.0.0,Normal,*,Alternate -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Tuesday, November 02, 2004 2:05 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled Would you be willing to post your webinterface.conf file? Replacing any private information obviously :) Jeff Pitsch -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Evan Mann Sent: Tuesday, November 02, 2004 1:58 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled That's a wildcard mask (reverse of subnet mask), I don't know why I put it that way in my e-mail. My Cisco Concentrator 3005 uses wildcard masks, so I must have had that stuck in my head. I did have altaddr specified as the public address that clients see and still had same results. There is a line in template.ica in the /conf directory which has a line that reads: Address=[Nfuse_AppServerAddress] Under Nfuse 1.5/1.6, this used to read something like [Nfuse_IPV4Address]. I found an older doc on Citrix KB that says if you need to use NAT, you should change it to read [Nfuse_IPV4AddressAlternate] which would put the altaddr specified on the server into the .ica files for all published apps. Now since this is now WI3.0 and it doesn't use these flags, I don't know what the equivalent flag for WI3.0, but aside from that, if I did know the flag, and I used it, I'd break access for my internal clients because they'd be trying to hit citrix via external IP, whicn my PIX does not allow. This seems to defeat the point of the configuring NAT options in WI3.0 as well. I saved the .ICA file from the WI site, edited it, changed address to the external IP and double-clicked the ISA, and voila, it worked. So now I guess the question is, why aren't the .ICA files updating properly with the altaddr when I connect from outside networks? This is the key to solving my problem it seems. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Tuesday, November 02, 2004 1:37 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled The altaddr address has to be the public address that the clients see. Your passing the external clients a private address that can't be used to connect over the internet. >> I then add an entry for 10.1.0.0/0.0.255.255 = NORMAL Ok, excuse my ignorance, but why is your subnet mask reversed? Jeff Pitsch -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Evan Mann Sent: Tuesday, November 02, 2004 1:26 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled OK, the IP address is the Citrix's server IP, not ISA's external IP. I'm not sure why. I thought I did the AltAddr setup correct: BTW - Citrix and WI are the SAME box. This is strictly a evaluation setup for senior management, so we went simple, 1 box for all. 1) ran altaddr /set 192.168.12.45 on citrix/wi box and rebooted 2) Went into WI NAT configured and specified the default to be the alternate address. I then add an entry for 10.1.0.0/0.0.255.255 = NORMAL Doesn't that make it so unless I'm hitting WI from 10.1.0.0/16 the .ICA file should have 192.168.12.45:1494 in it? -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Tuesday, November 02, 2004 1:15 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled Ok, let's test NAT then. When you are at the application list in WI. Right click on an icon and do a save as. Open up the launch.ica and see what IP address it is returning. It should be the external address (obviously) Jeff Pitsch -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Evan Mann Sent: Tuesday, November 02, 2004 1:05 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled I have a protocol definition for TCP/1494 and server published using that definition. There is also a protocol definition for UDP/1604 and server published, although I thought it wasn't necessary open that for WI. There is a web publishing element in place so you can actually hit the WI website. I am noticing that the citrix-ica access-list in my PIX is not increasing in hits at all. Only when I telnet to the external IP port 1494 does it increase. I disabled session reliability and rebooted, still no luck. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Tuesday, November 02, 2004 12:49 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled When you setup the proxy rule for 1494 did you use a web publishing or server publishing rule? ICA traffic requires a Server publishing rule. Also, there could be a possibility that Session reliability is not failing over to 1494. If session reliability is enabled on your farm and you are not using it, then you can disable it at the farm. If you do use it or want to, you will need another Server publishing rule for port 2598. Jeff Pitsch -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Evan Mann Sent: Tuesday, November 02, 2004 12:30 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled MPS 3.0, ICA client is 8.1 Web Client. Not sure what you mean by forward or reverse proxy. All my LAN side clients (including servers) are SecureNAT clients for ISA, meaning their default gateway ends up being one of ISA's private side Ips -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: Tuesday, November 02, 2004 12:22 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled What version of Metaframe are you using? Is it version 3.0? Jeff Pitsch -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Hutchinson, Alan Sent: Tuesday, November 02, 2004 11:46 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: WI3.0 behind ISA, baffled When you say "In all cases, I can hit the WI site and login, but when I try to launch an app, it never connects to the Citrix server and launches. It's got to be something basic, right?!? What exactly do you mean? From this I assume you are getting a list of published apps and it's when you try to launch one of these that you have the problem? What exactly is the error message and how far throught the connection stage are you getting? What client are you using? Regards, Alan. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Evan Mann Sent: 02 November 2004 04:51 To: thin@xxxxxxxxxxxxx Subject: [THIN] WI3.0 behind ISA, baffled Ok, can't figure this one out, all the docs/articles I've found aren't getting results. Setup as follow) Internet -> pix -> ISA -> internal servers Internet IP address I want to use for WI is 11.11.11.11. The PIX has a access-list to allow tcp citrix-ica and a static to map 11.11.11.11 to 192.168.10.45 192.168.10.45 is one of ISA's outside Ips My WI box has an IP of 10.1.10.250 ISA has a protcol definition to allow TCP1494 and it maps it from 192.168.10.45 to 10.1.10.250 via server publishing. ISA also has web publishing for port 80 for the actual WI interface I also even added a packet filter for 1494 as an extra effort. I set altaddr=192.168.10.45 and reboot citrix box, then I tried altaddr=11.11.11.11 and rebooted Citrix. In all cases, I can hit the WI site and login, but when I try to launch an app, it never connects to the Citrix server and launches. It's got to be something basic, right?!? There is some refence back for Nfuse in the template.ica to change Address=IPV4_AddressAlternate instead of IPV4_Address default setting but under WI3.0 the use of IPV4_Address is replaced ith Nfuse_AppServerAddress, so I'm not sure if I need to use this or not. In the WI3.0 Web page interface I set the default to alternate address and specified a normal address of 10.1.0./0.0.255.255 for internal clients. The internal clients always work, just not the ones coming in via PIX and ISA. PS, I can telnet to 11.11.11.11 port 1494 and get ICA ICA ICA so I know my PIX and ISA are letting me at port 1494. It seems like some kind of NAT issues on WI. ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm