[THIN] Re: WI3.0 behind ISA, baffled

From: "Evan Mann" <emann@xxxxxxxxxxxxxxxxxxxxx>
To: <thin@xxxxxxxxxxxxx>
Date: Tue, 2 Nov 2004 14:54:16 -0500
Tried auto (default) but it doesn't work, because then my ISA Web Proxy
clients (they are picking up the proxy server settings via dhcp auto
discovery, fyi) can't use WI.  If I leave it to auto, I have to set
anyone here on the LAN with ISA to not have be on auto discovery with no
proxy settings specified in the IE connection tab.  Putting it to client
solved that problem.



-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Tuesday, November 02, 2004 2:51 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

Oh and change your proxy settings to Auto instead of client.

Jeff Pitsch


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Evan Mann
Sent: Tuesday, November 02, 2004 2:12 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

Really nothing private in there:

# The UnrestrictedSessionFields property controls which session fields
can # be set by user supplied data. All session fields can be made
unrestricted # by commenting out this property.
UnrestrictedSessionFields=NFuse_Application,NFuse_AppCommandLine,NFuse_U
ser,NFuse_Domain,NFuse_Password,NFuse_LogonMode,NFuse_ClientName,NFuse_W
indowType,NFuse_WindowWidth,NFuse_WindowHeight,NFuse_WindowScale,NFuse_W
indowColors,NFuse_EncryptionLevel,NFuse_ICAAudioType,NFuse_SoundType,NFu
se_VideoType,NFuse_COMPortMapping,NFuse_ClientPrinting, NFuse_HostId,
NFuse_HostIdType, NFuse_SessionId, NFuse_Template
SessionFieldLocations=PNAgent,Script,Template,Properties,Url,Post,Cookie
Timeout=60
Version=3.0
AlternateAddress=Mapped
CacheExpireTime=3600
SessionField.NFuse_TicketTimeToLive=200
AllowCustomizeWinSize=On
AllowCustomizeWinColor=Off
AllowCustomizeAudio=Off
AllowCustomizeSettings=On
AddressResolutionType=IPv4-port
OtherClient=default
#OverrideClientInstallCaption=[Place your text here] Win32Client=Click
here to install the Citrix client&Citrix/ICAWEB/en/ica32/ica32t.exe
Win16Client=default
SolarisUnixClient=default
MacClient=default
SgiUnixClient=default
HpUxUnixClient=default
IbmAixClient=default
ScoUnixClient=default
Tru64Client=default
LinuxClient=default
LoginType=Default
#LoginDomains=[Place your domain here]
#RestrictDomains=Off
#HideDomainField=Off
#UPNSuffixes=[Place your UPN suffixes here] #NDSTreeName=[For NDS logins
place NDS Tree name here, and also change LoginType to NDS]
#SearchContextList=[NDS context1, NDS context2, ...]
AuthenticationMethods=Explicit
#ClientAddressMap=[clientAddress,AddressType,clientAddress,AddressType,.
..]
#ServerAddressMap=[normalAddress,translatedAddress,normalAddress,transla
tedAddress,...]
#InternalServerAddressMap=[normalAddress,translatedAddress,normalAddress
,translatedAddress,...]
#ClientProxy=[clientAddress,proxyType,proxyAddress,clientAddress,proxyTy
pe,proxyAddress,...]
EnableSTALoadBalancing=On
AllowUserPasswordChange=Always
AutoDeployWebClient=On
IcaWebClientVersion=8,0,24737,0
RdpWebClientVersion=5,2,3790
RdpWebClientClassID=7584c670-2274-4efb-b00b-d6aaba6d3850
IcaWebClient=wficat.cab
RdpWebClient=msrdp.cab
IcaWebClientClassID=238f6f83-b8b4-11cf-8771-00a024541ee3
ShowClientInstallCaption=Auto
RequestICAClientSecureChannel=Detect-AnyCiphers
LaunchClients=Ica-Local,Ica-Embedded,Ica-Java,Rdp-Embedded
LaunchMethod=Ica-Local
AllowCustomizeClients=Off
JavaClientPackages=SecureICA,PrinterMapping,ConfigUI
AllowCustomizeJavaClientPackages=Off
IgnoreClientProvidedClientAddress=Off
AdditionalExplicitAuthentication=None
SessionField.NFuse_Farm1=localhost,Name:Farm1,XMLPort:80,Transport:HTTP,
SSLRelayPort:443,BypassDuration:60,LoadBalance:On
EnableLegacyICAClientSupport=On
ReconnectAtLogin=DisconnectedAndActive
AllowCustomizeReconnectAtLogin=On
ReconnectButton=DisconnectedAndActive
AllowCustomizeReconnectButton=On
EnableLogoffApplications=On
AllowCustomizeLogoff=On
EnableWorkspaceControl=On
HideDomainField=On
LoginDomains=orlando1
ClientProxy=*,Client,-
ClientAddressMap=10.1.0.0/255.255.0.0,Normal,*,Alternate 

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Tuesday, November 02, 2004 2:05 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

Would you be willing to post your webinterface.conf file?  Replacing any
private information obviously :)

Jeff Pitsch


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Evan Mann
Sent: Tuesday, November 02, 2004 1:58 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

That's a wildcard mask (reverse of subnet mask), I don't know why I put
it that way in my e-mail. My Cisco Concentrator 3005 uses wildcard
masks, so I must have had that stuck in my head.

I did have altaddr specified as the public address that clients see and
still had same results.

There is a line in template.ica in the /conf directory which has a line
that reads:

Address=[Nfuse_AppServerAddress]

Under Nfuse 1.5/1.6, this used to read something like
[Nfuse_IPV4Address].  I found an older doc on Citrix KB that says if you
need to use NAT, you should change it to read
[Nfuse_IPV4AddressAlternate] which would put the altaddr specified on
the server into the .ica files for all published apps. Now since this is
now WI3.0 and it doesn't use these flags, I don't know what the
equivalent flag for WI3.0, but aside from that, if I did know the flag,
and I used it, I'd break access for my internal clients because they'd
be trying to hit citrix via external IP, whicn my PIX does not allow.
This seems to defeat the point of the configuring NAT options in WI3.0
as well.

I saved the .ICA file from the WI site, edited it, changed address to
the external IP and double-clicked the ISA, and voila, it worked.  

So now I guess the question is, why aren't the .ICA files updating
properly with the altaddr when I connect from outside networks?  This is
the key to solving my problem it seems.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Tuesday, November 02, 2004 1:37 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

The altaddr address has to be the public address that the clients see.
Your passing the external clients a private address that can't be used
to connect over the internet.

>> I then add an entry for 10.1.0.0/0.0.255.255 = NORMAL

Ok, excuse my ignorance, but why is your subnet mask reversed?  

Jeff Pitsch


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Evan Mann
Sent: Tuesday, November 02, 2004 1:26 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

OK, the IP address is the Citrix's server IP, not ISA's external IP.
I'm not sure why.  I thought I did the AltAddr setup correct:

BTW - Citrix and WI are the SAME box.  This is strictly a evaluation
setup for senior management, so we went simple, 1 box for all.

1) ran altaddr /set 192.168.12.45 on citrix/wi box and rebooted
2) Went into WI NAT configured and specified the default to be the
alternate address.  I then add an entry for 10.1.0.0/0.0.255.255 =
NORMAL 

Doesn't that make it so unless I'm hitting WI from 10.1.0.0/16 the .ICA
file should have 192.168.12.45:1494 in it?


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Tuesday, November 02, 2004 1:15 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

Ok, let's test NAT then.  When you are at the application list in WI.
Right click on an icon and do a save as.  Open up the launch.ica and see
what IP address it is returning.  It should be the external address
(obviously)

Jeff Pitsch


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Evan Mann
Sent: Tuesday, November 02, 2004 1:05 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

I have a protocol definition for TCP/1494 and server published using
that definition.  There is also a protocol definition for UDP/1604 and
server published, although I thought it wasn't necessary open that for
WI.  There is a web publishing element in place so you can actually hit
the WI website. 

I am noticing that the citrix-ica access-list in my PIX is not
increasing in hits at all. Only when I telnet to the external IP port
1494 does it increase.  

I disabled session reliability and rebooted, still no luck.


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Tuesday, November 02, 2004 12:49 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

When you setup the proxy rule for 1494 did you use a web publishing or
server publishing rule?  ICA traffic requires a Server publishing rule.

Also, there could be a possibility that Session reliability is not
failing over to 1494.  If session reliability is enabled on your farm
and you are not using it, then you can disable it at the farm.  If you
do use it or want to, you will need another Server publishing rule for
port 2598.

Jeff Pitsch


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Evan Mann
Sent: Tuesday, November 02, 2004 12:30 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

MPS 3.0, ICA client is 8.1 Web Client.  Not sure what you mean by
forward or reverse proxy.  All my LAN side clients (including servers)
are SecureNAT clients for ISA, meaning their default gateway ends up
being one of ISA's private side Ips


 

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Tuesday, November 02, 2004 12:22 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

What version of Metaframe are you using?  Is it version 3.0?

Jeff Pitsch


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Hutchinson, Alan
Sent: Tuesday, November 02, 2004 11:46 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WI3.0 behind ISA, baffled

When you say

 "In all cases, I can hit the WI site and login, but when I try to
launch an app, it never connects to the Citrix server and launches.
It's got to be something basic, right?!?

What exactly do you mean? From this I assume you are getting a list of
published apps and it's when you try to launch one of these that you
have the problem? What exactly is the error message and how far throught
the connection stage are you getting? What client are you using?

Regards,

Alan.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Evan Mann
Sent: 02 November 2004 04:51
To: thin@xxxxxxxxxxxxx
Subject: [THIN] WI3.0 behind ISA, baffled


Ok, can't figure this one out, all the docs/articles I've found aren't
getting results.  Setup as follow)

Internet -> pix  -> ISA -> internal servers

Internet IP address I want to use for WI is 11.11.11.11.  The PIX has a
access-list to allow tcp citrix-ica and a static to map 11.11.11.11 to
192.168.10.45

192.168.10.45 is one of ISA's outside Ips

My WI box has an IP of 10.1.10.250

ISA has a protcol definition to allow TCP1494 and it maps it from
192.168.10.45 to 10.1.10.250 via server publishing.  
ISA also has web publishing for port 80 for the actual WI interface I
also even added a packet filter for 1494 as an extra effort.  

I set altaddr=192.168.10.45 and reboot citrix box, then I tried
altaddr=11.11.11.11 and rebooted Citrix.

In all cases, I can hit the WI site and login, but when I try to launch
an app, it never connects to the Citrix server and launches.  It's got
to be something basic, right?!?

There is some refence back for Nfuse in the template.ica to change
Address=IPV4_AddressAlternate instead of IPV4_Address default setting
but under WI3.0 the use of IPV4_Address is replaced ith
Nfuse_AppServerAddress, so I'm not sure if I need to use this or not.

In the WI3.0 Web page interface I set the default to alternate address
and specified a normal address of 10.1.0./0.0.255.255 for internal
clients.  The internal clients always work, just not the ones coming in
via PIX and ISA.

PS, I can telnet to 11.11.11.11 port 1494 and get ICA  ICA  ICA so I
know my PIX and ISA are letting me at port 1494.  It seems like some
kind of NAT issues on WI.
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm


********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference Join us at
ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference
Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
[THIN] Re: WI3.0 behind ISA, baffled

Other related posts:
