Jump to content
Welcome to our new Citrix community!

Citrix ADC Behind a Firewall


Recommended Posts

I currently have a Citrix VPX 13 ADC setup in the DMZ of a Fortigate Virtual Firewall. The public IP address of the ADC is NAT'd via the firewall to the VIP on the ADC in the DMZ. Given that this is the first time I've setup a Citrix ADC in a production environment I am having a few concerns regarding my setup, namely:

 

1) Has anyone else seen a VPX ADC setup in the DMZ in the same way I've done it, with the public IP address being NAT'd through a firewall first. I set it up this way because everything I read said setting up in a DMZ was an acceptable way to setup an ADC and I assumed that included NAT'ing the public IP address. If so were there any issues?

 

2) Most Citrix users sit at remote sites behind a firewall and access our ADC via a NAT'd internet connection. Some users however remotely connect via 4G modem (mobile phone) to the Citrix ADC. On the Citrix ADC only those users connected via 4G are shown as HDX connections. Those sitting behind a NAT'd firewall are not showing as HDX connections. I also have Citrix ADM and on the HDX analytics it reports an error that "System has detected the ICA sessions that do not support logging, corresponding reports will not be available.". Is this related to HDX connections? On Citrix Director all connections are shown as HDX connections.

 

I appreciate any insight anyone can give me regarding best practice for setting up Virtual Citrix ADC devices. I am concerned that because users are not connecting directly to the Citrix ADC that I'm missing out on some vital connection quality analytics.

 

Regards,

 

Ian

 

Link to comment
Share on other sites

HDX analytics it reports an error that "System has detected the ICA sessions that do not support logging, corresponding reports will not be available.".

 

HDX Analytics reports in ADM is based on ICA connection parsing in ADC. Once ICA connections are parsed, ADC sends Appflow records to ADM which deciphers them and creates various reports. ADC parses ICA connections only if they are originating from Windows/MAC/Linux receivers. It doesn't parse ICA connections originating from mobile receivers. When there are ICA connections that are not parsed, ADM gives information to the end-user saying "System has detected the ICA sessions that do not support logging, corresponding reports will not be available".

Link to comment
Share on other sites

On 10/12/2020 at 11:48 AM, Ian Dale1709161148 said:

1) Has anyone else seen a VPX ADC setup in the DMZ in the same way I've done it, with the public IP address being NAT'd through a firewall first. I set it up this way because everything I read said setting up in a DMZ was an acceptable way to setup an ADC and I assumed that included NAT'ing the public IP address. If so were there any issues?

 

Yes. In Secure Environments ADC is deployed in the DMZ zones. You will not face any issues if the firewall rules are correctly configured

 

On 10/12/2020 at 11:48 AM, Ian Dale1709161148 said:

Those sitting behind a NAT'd firewall are not showing as HDX connections.

 

Check out if you are natting the source IP address as well. Also check for the logs on ADC if you are seeing actual public IP address. 

 

On 10/12/2020 at 11:48 AM, Ian Dale1709161148 said:

System has detected the ICA sessions that do not support logging, corresponding reports will not be available.

 

Check out below article

https://support.citrix.com/article/CTX232541

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...