PHPKB Knowledge Base Software Logo  
Guru Corner
Online Knowledgebase System  
Knowledge Base Home Knowledge Base Home
Home > All Categories > Citrix Systems > Configuring NFuse/Web Interface for Use with Network Address Translation (NAT)
Question Title Configuring NFuse/Web Interface for Use with Network Address Translation (NAT)

If Citrix NFuse/Web Interface users need to access one or more MetaFrame servers through firewalls using Network Address Translation (NAT), additional steps need to be taken beyond the standard NFuse/Web Interface setup for a LAN environment.

NOTE: This document assumes that NFuse/Web Interface is already set up and working on the LAN. Basic knowledge of Citrix ICA connectivity and NFuse/Web Interface setup is required. Standard ICA and NFuse/Web Interface connectivity issues are not covered in this document, unless it pertains to setup or troubleshooting specific to a NAT environment.

In an environment using NAT, the NFuse/Web Interface Web page being displayed for the user needs to give out connection information based on the Internet-routable IP of the MetaFrame server(s). If the NFuse environment is not modified from default, the NFuse/Web Interface user will be attempting to launch applications based on the MetaFrame server's internal, non-routable IP address. This will fail unless the following steps are taken to properly configure the NFuse/Web Interface environment.

NFuse/Web Interface consists of a three-tier architecture including a client device, an NFuse-enabled Web server, and a MetaFrame server running the Citrix XML service.

Background of NFuse Communication

The communication between the client workstation and NFuse/Web Interface Web server occurs by default on port 80 of the NFuse Web server. The communication between the NFuse/Web Interface Web server and the MetaFrame/XML server occurs on the port number specified by the administrator during installation of the Citrix XML service. The communication between the client workstation and the MetaFrame server occurs by default on TCP port 1494.

Client workstation --- > NFuse/Web Interface Web server -- > MetaFrame/XML server

The client workstation passes user credentials to the Web server using the NFuse/Web Interface logon page. The Web server receives these credentials and passes them to the MetaFrame/XML server. The MetaFrame/XML server then determines which icons the NFuse/Web Interface user should receive based on the user's NT-based group membership. The MetaFrame/XML server sends this information back in the next step.

Client workstation < -- NFuse/Web Interface Web server < -- MetaFrame/XML server

The MetaFrame/XML server sends the icon information back to the Web server, which then displays the icons on a Web page in the user's browser.

Client workstation -- > NFuse/Web Interface Web server -- > MetaFrame/XML server

The user clicks on one of these application icons. This click by the user is a request by the workstation to launch that ICA application. This request is sent to the Web server and the Web server passes on this request to the MetaFrame/XML server. The MetaFrame/XML server communicates with the other MetaFrame servers on the subnet to determine which MetaFrame server the user should be connected to. The MetaFrame/XML server then gathers this information and sends it back in the next step.

Client workstation < -- NFuse/Web Interface Web server < -- MetaFrame/XML server

The /XML server sends the application information to the Web server. This connection information is entered into a file called Template.ica. When the Template.ica file contains this connection information, including the IP address of the MetaFrame server, the workstation downloads the ICA file.

Client workstation --- > MetaFrame server

When the workstation has the ICA file, it launches an ICA connection based on the information within it. The network traffic generated now is ICA traffic. This traffic is displayed in more detail below.

Steps to Configure the NFuse Environment for NAT

1. A rule needs to be set up on the firewall and a route needs to be in place on other network devices to allow users from the outside to access each of the MetaFrame servers. Citrix recommends that one Internet-routable IP address be reserved for each of the MetaFrame servers behind the firewall. These routes need to be set up whether NFuse will be used or not. The ICA Client users need to communicate through the firewall on TCP port 1494 and then be forwarded to the MetaFrame server internally. Note: Page 76 of the Web Interface Administrator’s Guide discusses a topic call Port Address Translation. This feature can be used if individual external IP addresses can not be obtained for each MetaFrame server in the Farm.

2. It is advisable to first test the firewall connection without NFuse. You need a workstation on the Internet with the full ICA Client installed. At this workstation create a custom ICA connection configured to connect directly to the Internet-routable IP address (not a published application) of the MetaFrame server. If this test succeeds, a valid route is set up. If this test fails, confirm that the firewall(s) and router(s) are configured properly.

The following is a representation of network traffic generated by one TCP-based ICA session launched by NFuse or by a direct IP address connection using the full Program Neighborhood ICA Client:

    1. ICA Client >-------source port:1024--------->----destination port:1494--------> MetaFrame server

    2. ICA Client <-------destination port:1024---<-----source port:1494-------------< MetaFrame server

    3. Repeat

In the above representation, this workstation is using TCP port 1024 as its source port. Unless altered in the registry, an ICA Client will choose a TCP port from 1024 to 5000 based on its default TCP parameters (See TechNet 174904, & 148732). By default, the MetaFrame server will always use TCP port 1494 to accept incoming ICA traffic. TCP port 1494 will also be the source port when sending to the ICA Client. This port is configurable using the ICAPORT command line utility. During a direct IP address connection to the MetaFrame server, UDP port 1604 is not used. During an NFuse connection, there is no client/server UDP communication. The above representation of TCP-based ICA traffic repeats until the ICA session is disconnected, logged off, or reset.

3. After the routes from the ICA Client to each of the MetaFrame servers are tested successfully, you need to set the alternate addresses on each MetaFrame server. The alternate address is a MetaFrame-specific setting that is configured using the ALTADDR utility. Run the ALTADDR utility from the command line of the MetaFrame server.

The syntax is: ALTADDR /set <Internet IP address>

Setting the Alternate Address on the Citrix server using both the internal and external IP addresses causes NFuse Web sites to lose connectivity.

Example command: altaddr /set 10.3.15.10 65.65.65.65

NOTE: This configuration works if you are using the Program Neighborhood Client for ICA connectivity, but it may cause a NFuse/Web Interface Web site to fail.

Remove the Alternate Address set using both internal and external IP addresses and set the Alternate Address using only the external IP address.

Example commands (in order of execution):

    altaddr /delete 10.3.15.10 (to delete)

altaddr (to verify alternate address is removed)

altaddr /set 65.65.65.65

altaddr (to verify that alternate is set)

Your output will now look similar to this:

Alternate TCP addresses for AMEN-RA

    Local Address Alternate Address

Default 10.3.15.100

NOTE: The "Local Address" section now has "Default" listed instead of an IP address. For these changes to take effect, reboot the Citrix server.

To determine which IP address to use as the Internet-routable IP address, see Step 2 above. In Step 2, the test user on the Internet made a successful ICA connection to the MetaFrame server using an Internet-routable IP address as the destination. This IP address could have been the IP address of the firewall, the router, or an address reserved solely for use by the MetaFrame server connections. The firewall administrator usually determines this. This IP address is the IP address used in the ALTADDR command. Use the QSERVER and ALTADDR utilities with no switches to verify the new settings.

4. At this point, the environment can be tested again without NFuse. This test is recommended, but not required. If no route is available for the Internet-based ICA Client to communicate with the MetaFrame XML service, this test cannot be done. If there is no route, proceed to Step 5. To test, use the same test workstation on the Internet as described in Step 2. In the ICA Client, create another custom ICA connection and choose the TCP + HTTP browsing option. Check the box labeled Use alternate address for firewall connection. Attempt to browse for a list of servers or published applications using the drop-down menu. If a list is received, this test is successful. If an error is received, it is likely there is a configuration issue. Some common causes for an error at this point could be:

    • No route to the XML service port on the MetaFrame server

    • A problem with the alternate address settings

    • A client configuration issue

4.The last step is to modify the Template.ica file in the NFuse/Web Interface Web site. Use the Admin pages of Nfuse/Web Interface.

Using the NFuse Java Objects NFuse_IPv4Address and NFuse_IPv4AddressAlternate eliminates the need for UDP browsing.

If manually editing the file, ensure the correct Template.ica file (by default, there is one for each NFuse/Web Interface Web site). Open this file in a text editor and locate this line:

Address=[NFuse_IPV4Address]

Modify this line so that it reads:

Address=[NFuse_IPV4AddressAlternate]

NFuse_IPv4AddressAlternate: Retrieves the external (or public) IP address of the Citrix server hosting the published application. Recommended when using address translation (NAT) or accessing the Citrix server through the firewall.

NFuse/Web Interface will now work properly in a NAT environment.

NOTE: When using the [NFuse_IPV4Address] tag(s), the TcpBrowserAddress and UseAlternateAddress arguments are ignored and should be omitted.

Troubleshooting

If you cannot retrieve a list of NFuse/Web Interface application icons after entering your credentials, there could be a problem with the communication between the NFuse/Web Interface Web server and the MetaFrame server running the XML service. If the NFuse/Web Interface Web server and the MetaFrame server are both behind the firewall, standard NFuse/Web Interface troubleshooting applies, which is not covered in this document. If the Web server is outside of the firewall, ensure the correct port is open on the firewall to allow the XML service on the MetaFrame server to communicate with the Web server. The TCP port number that needs to be opened is dependent upon the port number chosen during installation of the XML service. Test that the communication path is available and that the XML service is responding by using telnet.

The syntax from the command line is telnet ip address of XML server : port number for XML service.

Press the Enter key several times and an error message appears with "HTTP Bad Request" in the heading and ending with "Connection to host lost." (The XML service is installed during installation of MetaFrame XP. If MetaFrame 1.8 is in use, Service Pack 2 for MetaFrame 1.8 includes the XML service.)

If you receive the NFuse/Web Interface application icons but cannot launch them, right-click the application icon and choose Open in New Window. If a new window opens, continue troubleshooting based on the error. If a new browser window is not opened or the error does not contain helpful information, right-click the application icon and choose Save Target As. You are prompted to save a text-based file containing pertinent ICA connection information. Open this file in Notepad or any other text editor. Verify that the file contains the correct IP address for ICA connectivity to the MetaFrame server from outside of the firewall. The line that contains this information is under the [Application Name] heading and begins with Address=. If this file contains correct information, attempt to launch the file from its saved location on the computer by double-clicking the file. You can also attempt to connect to this MetaFrame server as explained above in Step 2 and use the address specified in the Address= line from the downloaded file.

If the installation is still not successful, it is important to note the error received and at exactly which point the failure is occurring to better understand the issue.
Authored by: Guru Corner
Click Here to View all the questions in Citrix Systems category.
File Attachments File Attachments
There are no attachment file(s) related to this question.
Article Information Additional Information
Article Number: 115
Created: 2010-03-25 11:42 PM
Rating: No Rating
 
Article Options Article Options
Print Question Print this Question
Export to Adobe PDF Export to PDF File
Export to MS Word Export to MS Word
 
Search Knowledge Base Search Knowledge Base
 
 

Powered by Guru Corner