[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Adding a ip's to the firewall
When you have Citrix server behind a
FW1 machine there are many things you have to have set-up in order to make it
work properly. Here is a small list to get you started.
1. Both Citrix servers obviously have
two internal ip addresses. The question is have you assigned them real ip
addresses on the firewall and are they natted properly? To test this you can
allow icmp in to that group of server to see if they respond. Once that is done
you can close the rule down by accepting incoming connections only on TCP 1494
and UDP 1604. If you are using Citrix Metaframe Feature Release one you can do
away with the UDP port as well and allow ICA browsing over HTTP. You have to set
that up in the client though and its only available with the latest WIN32 ICA
client 6.10.699 I believe.
2. If you don't do this next step it
wouldn't work even if your firewall was set-up properly. When an ICA client
makes a request for a hosted application or a Citrix server it makes a request
to the ICA master browser. The internal Citrix box will always respond using its
internal ip address and when that goes back out the client on the net they will
not be able to route back. In order to fix this simply type this command in at
each Citrix box
Box 1.
c:\altaddr /set 192.168.1.10
216.222.111.222
Box 2.
c:\altaddr /set 192.168.1.11
216.222.111.223
This will allow the master ICA
browser to return the natted address to the client instead of the internal ip
address.
3. On your client right click on
Custom ICA connections and choose custom connection settings. You will see the
default server location. Add the two real ipaddresses there and then choose the
firewalls tab. From there choose Use alternate address for firewall connection.
Save those settings and set-up your first custom connection.
Thos are the basics. Personally I
would have customized the client install diskettes for your people so that they
don't have to do any of those things. The best way to do this is install the
client on a clean machine and once you have made all those modifications to the
client including setting up the icons, there are 4 ini files to copy over the
install diskettes. They are pn.ini, appsrv.ini, wfclient.ini and module.ini. The
first three ini's have to be copied from your profile\application data\ica
client directory, the module.ini is in c:\program files\citrix\ica client. When
you copy these to disk one the extension has to be changed to .src instead of
ini.
4. Your two internal citrix servers
have to be added to your spoof group otherwise they will not function properly.
IE, you will have 4 objects, 2 wrkstation objects representing the interal
citrix servers and 2 objects representing the citrix servers with their real ip
addresses.
If you need any more info try going
to www.citrix.com and choose the support
option. Sorry I'm not much of teacher.
Rocky Stefano Echelon Systems Inc. [email protected] www.echelonsystems.com B F Cell Cell Fax Systems that work... ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ This email may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you have received this email in error, please contact the sender and delete all copies. Opinions, conclusions or other information expressed or contained in this email are not given or endorsed by the sender unless otherwise affirmed independently by the sender. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Skip Lawrence - ext. 8972 Sent: Wednesday, December 20, 2000 9:41 AM To: 'Fw-1-Mailinglist (E-mail) Subject: [FW1] Adding a ip's to the firewall Seasons greetings to all out there . We have just created two new Citrix Servers. I have added them to the Citrix group on the firewall. and Verified them and pushed them to the firewall . For some reason it works on the Internal side . But the outside folks can not get into the two new Citrix Servers . This is a NT Shop. Thank you . ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ BEGIN:VCARD VERSION:2.1 N:Stefano;Rocky FN:Rocky Stefano ORG:Echelon Systems Inc. TITLE:President TEL;WORK;VOICE:TEL;CELL;VOICE:TEL;PAGER;VOICE:TEL;WORK;FAX:ADR;WORK:;;101 Ridgeway Court;Maple;Ontario;L6A 2R5;Canada LABEL;WORK;ENCODING=QUOTED-PRINTABLE:101 Ridgeway Court=0D=0AMaple, Ontario L6A 2R5=0D=0ACanada URL: URL:http://www.echelonsystems.com EMAIL;PREF;INTERNET:[email protected] REV:20000809T045801Z END:VCARD
|