Jump to content
Welcome to our new Citrix community!
  • 0

Clients behind NAT


George Rubin

Question

Hey,

 

I've got a XenApp server & StoreFront running in the internet with accessable Public IPs (clients can reach these),

But my clients are behind a NAT.

So basically my architecture is: Client computer -> NAT'd router -> Citrix

 

When I try to open an app from the storefront I get stuck in the progress bar saying "Starting.... connection established. Negotiating capabilities..."

I can't figure out what's the problem.

 

Help? :)

Link to comment

11 answers to this question

Recommended Posts

  • 0

The connection that gives you the list of icons is pure HTTP, which is very easy to proxy and NAT.

 

When the user clicks an icon, StoreFront downoads an .ica file that contains the private IP address of the VDA machine. Receiver on the client machine attempts to connect to this private IP. This won’t work across the Internet.

 

When you add NetScaler Gateway, StoreFront directs Receiver to connect through SSL-enabled Gateway, which is a single IP that can be NAT’d. The Gateway can then connect to any internal VDA machine.

 

Search YouTube for Citrix NetScaler Gateway and StoreFront Integration Whiteboard

 

See http://www.carlstalhood.com/netscaler-menu/netscaler-12/ for configuration info.

 

 

Link to comment
  • 0
11 minutes ago, Carl Stalhood1709151912 said:

The connection that gives you the list of icons is pure HTTP, which is very easy to proxy and NAT.

 

When the user clicks an icon, StoreFront downoads an .ica file that contains the private IP address of the VDA machine. Receiver on the client machine attempts to connect to this private IP. This won’t work across the Internet.

 

When you add NetScaler Gateway, StoreFront directs Receiver to connect through SSL-enabled Gateway, which is a single IP that can be NAT’d. The Gateway can then connect to any internal VDA machine.

 

Search YouTube for Citrix NetScaler Gateway and StoreFront Integration Whiteboard

 

See http://www.carlstalhood.com/netscaler-menu/netscaler-12/ for configuration info.

 

 

OK but this is not my case. The vda is not the one with the private IP. The client is (hence behind a nat). 

So basically there shouldn't be a problem? 

Link to comment
  • 0

Hi Carl i have a slightly different scenario i hope you can help me with.

 

My clients connect via a private IPSEC tunnel, they target a NAT on our firewall which translates in to an internal address in our network.

 

Now with Web interface i used to use the secure access method where i would enter the NAT and the internal address for the farm and the client would successfully connect over ports 1494, 2598 etc.. 

 

now with storefront this option has gone i believe - how does it work with the Netscaler proxy via an IPSEC tunnel where the gateway or storefront is not available over the internet. 

 

I have a public gateway and clients connect and all apps open over 443 but im not sure how it can work over the tunnel with NATS?

 

any help is appreciated.

 

thanks 

 

 

Link to comment
  • 0
13 hours ago, Carl Stalhood1709151912 said:

To simulate “alternate address” in StoreFront, configure your farm for DNS Resolution instead of IP resolution. Then configure DNS to resolve the VDA FQDNs to the NAT’d IP instead of the real IP.

 

Or, you could build a NetScaler Gateway that is reachable across the tunnel.

we actually use to use the translated option, see attached.

 

if i configure DNS to just use the NAT'd IP how will internal support test etc ?

 

thanks 

Capture.JPG

Edited by ndosanjh
grammar
Link to comment
  • 0

I have a similar issue where we NAT, both client workstation network IPs and destination XenAPP Servers. The connections to citrix webpage works fine, the ICA file downloads, it connection fails. When i troubleshooted, i found out the ICA file contains real XENAPP servers instead of NAT XenAPP servers which client machine is looking for. If i manually edit the ICA file to respective NAT'd XenAPP server address, the connection opens. Anyway to fix this issue ?

 

Client IP --> Source NAT FW -- >  NAT client IP ---> Xenapp Destination IP --> Destination NAT FW --> Xenapp Destination NAT IP --> Citrix

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...