If Citrix NFuse/Web Interface users need to access one or more
MetaFrame servers through firewalls using Network Address Translation
(NAT), additional steps need to be taken beyond the standard NFuse/Web
Interface setup for a LAN environment.
This document assumes that NFuse/Web Interface is already set up and
working on the LAN. Basic knowledge of Citrix ICA connectivity and
NFuse/Web Interface setup is required. Standard ICA and NFuse/Web
Interface connectivity issues are not covered in this document, unless
it pertains to setup or troubleshooting specific to a NAT environment.
an environment using NAT, the NFuse/Web Interface Web page being
displayed for the user needs to give out connection information based on
the Internet-routable IP of the MetaFrame server(s). If the NFuse
environment is not modified from default, the NFuse/Web Interface user
will be attempting to launch applications based on the MetaFrame
server's internal, non-routable IP address. This will fail unless the
following steps are taken to properly configure the NFuse/Web Interface
NFuse/Web Interface consists of a
three-tier architecture including a client device, an NFuse-enabled Web
server, and a MetaFrame server running the Citrix XML service.
of NFuse Communication
The communication between
the client workstation and NFuse/Web Interface Web server occurs by
default on port 80 of the NFuse Web server. The communication between
the NFuse/Web Interface Web server and the MetaFrame/XML server occurs
on the port number specified by the administrator during installation of
the Citrix XML service. The communication between the client
workstation and the MetaFrame server occurs by default on TCP port 1494.
Client workstation --- > NFuse/Web Interface Web
server -- > MetaFrame/XML server
workstation passes user credentials to the Web server using the
NFuse/Web Interface logon page. The Web server receives these
credentials and passes them to the MetaFrame/XML server. The
MetaFrame/XML server then determines which icons the NFuse/Web Interface
user should receive based on the user's NT-based group membership. The
MetaFrame/XML server sends this information back in the next step.
workstation < -- NFuse/Web Interface Web server < --
The MetaFrame/XML server sends
the icon information back to the Web server, which then displays the
icons on a Web page in the user's browser.
workstation -- > NFuse/Web Interface Web server -- > MetaFrame/XML
The user clicks on one of these application
icons. This click by the user is a request by the workstation to launch
that ICA application. This request is sent to the Web server and the Web
server passes on this request to the MetaFrame/XML server. The
MetaFrame/XML server communicates with the other MetaFrame servers on
the subnet to determine which MetaFrame server the user should be
connected to. The MetaFrame/XML server then gathers this information and
sends it back in the next step.
< -- NFuse/Web Interface Web server < -- MetaFrame/XML server
/XML server sends the application information to the Web server. This
connection information is entered into a file called Template.ica. When
the Template.ica file contains this connection information, including
the IP address of the MetaFrame server, the workstation downloads the
Client workstation --- > MetaFrame
When the workstation has the ICA file, it
launches an ICA connection based on the information within it. The
network traffic generated now is ICA traffic. This traffic is displayed
in more detail below.
Steps to Configure the
NFuse Environment for NAT
1. A rule needs to be
set up on the firewall and a route needs to be in place on other network
devices to allow users from the outside to access each of the MetaFrame
servers. Citrix recommends that one Internet-routable IP address be
reserved for each of the MetaFrame servers behind the firewall. These
routes need to be set up whether NFuse will be used or not. The ICA
Client users need to communicate through the firewall on TCP port 1494
and then be forwarded to the MetaFrame server internally.
Page 76 of the Web Interface Administrator’s Guide discusses a topic
call Port Address Translation. This feature can be used if individual
external IP addresses can not be obtained for each MetaFrame server in
2. It is advisable to first test the
firewall connection without NFuse. You need a workstation on the
Internet with the full ICA Client installed. At this workstation create a
custom ICA connection configured to connect directly to the
Internet-routable IP address (not a published application) of the
MetaFrame server. If this test succeeds, a valid route is set up. If
this test fails, confirm that the firewall(s) and router(s) are
The following is a
representation of network traffic generated by one TCP-based ICA session
launched by NFuse or by a direct IP address connection using the full
Program Neighborhood ICA Client:
1. ICA Client
port:1494--------> MetaFrame server
Client <-------destination port:1024---<-----source
port:1494-------------< MetaFrame server
In the above representation, this
workstation is using TCP port 1024 as its source port. Unless altered in
the registry, an ICA Client will choose a TCP port from 1024 to 5000
based on its default TCP parameters (See TechNet
By default, the MetaFrame server will always use TCP port 1494 to
accept incoming ICA traffic. TCP port 1494 will also be the source port
when sending to the ICA Client. This port is configurable using the
ICAPORT command line utility. During a direct IP address connection to
the MetaFrame server, UDP port 1604 is not used. During an NFuse
connection, there is no client/server UDP communication. The above
representation of TCP-based ICA traffic repeats until the ICA session is
disconnected, logged off, or reset.
3. After the
routes from the ICA Client to each of the MetaFrame servers are tested
successfully, you need to set the alternate addresses on each MetaFrame
server. The alternate address is a MetaFrame-specific setting that is
configured using the ALTADDR utility. Run the ALTADDR utility from the
command line of the MetaFrame server.
The syntax is:
ALTADDR /set <Internet IP address>
the Alternate Address on the Citrix server using both the internal and
external IP addresses causes NFuse Web sites to lose connectivity.
altaddr /set 10.3.15.10 22.214.171.124
This configuration works if you are using the Program Neighborhood
Client for ICA connectivity, but it may cause a NFuse/Web Interface Web
site to fail.
Remove the Alternate Address set using
both internal and external IP addresses and set the Alternate Address
using only the external IP address.
(in order of execution):
verify alternate address is removed)
altaddr (to verify that
alternate is set)
Your output will now look similar
Alternate TCP addresses for AMEN-RA
NOTE: The "Local Address"
section now has "Default" listed instead of an IP address. For these
changes to take effect, reboot the Citrix server.
determine which IP address to use as the Internet-routable IP address,
see Step 2 above. In Step 2, the test user on the Internet made a
successful ICA connection to the MetaFrame server using an
Internet-routable IP address as the destination. This IP address could
have been the IP address of the firewall, the router, or an address
reserved solely for use by the MetaFrame server connections. The
firewall administrator usually determines this. This IP address is the
IP address used in the ALTADDR command. Use the QSERVER and ALTADDR
utilities with no switches to verify the new settings.
At this point, the environment can be tested again without NFuse. This
test is recommended, but not required. If no route is available for the
Internet-based ICA Client to communicate with the MetaFrame XML service,
this test cannot be done. If there is no route, proceed to Step 5. To
test, use the same test workstation on the Internet as described in Step
2. In the ICA Client, create another custom ICA connection and choose
the TCP + HTTP browsing option. Check the box labeled
address for firewall connection. Attempt to browse for a list of
servers or published applications using the drop-down menu. If a list is
received, this test is successful. If an error is received, it is
likely there is a configuration issue. Some common causes for an error
at this point could be:
• No route to the XML
service port on the MetaFrame server
• A problem
with the alternate address settings
• A client
4.The last step is to
modify the Template.ica file in the NFuse/Web Interface Web site. Use
the Admin pages of Nfuse/Web Interface.
NFuse Java Objects NFuse_IPv4Address and NFuse_IPv4AddressAlternate
eliminates the need for UDP browsing.
editing the file, ensure the correct Template.ica file (by default,
there is one for each NFuse/Web Interface Web site). Open this file in a
text editor and locate this line:
Modify this line so that it reads:
NFuse_IPv4AddressAlternate: Retrieves the external
(or public) IP address of the Citrix server hosting the published
application. Recommended when using address translation (NAT) or
accessing the Citrix server through the firewall.
Interface will now work properly in a NAT environment.
When using the [NFuse_IPV4Address] tag(s), the TcpBrowserAddress and
UseAlternateAddress arguments are ignored and should be omitted.
you cannot retrieve a list of NFuse/Web Interface application icons
after entering your credentials, there could be a problem with the
communication between the NFuse/Web Interface Web server and the
MetaFrame server running the XML service. If the NFuse/Web Interface Web
server and the MetaFrame server are both behind the firewall, standard
NFuse/Web Interface troubleshooting applies, which is not covered in
this document. If the Web server is outside of the firewall, ensure the
correct port is open on the firewall to allow the XML service on the
MetaFrame server to communicate with the Web server. The TCP port number
that needs to be opened is dependent upon the port number chosen during
installation of the XML service. Test that the communication path is
available and that the XML service is responding by using telnet.
syntax from the command line is
ip address of XML
port number for XML service.
the Enter key several times and an error message appears with "HTTP Bad
Request" in the heading and ending with "Connection to host lost." (The
XML service is installed during installation of MetaFrame XP. If
MetaFrame 1.8 is in use, Service Pack 2 for MetaFrame 1.8 includes the
If you receive the NFuse/Web Interface
application icons but cannot launch them, right-click the application
icon and choose
Open in New Window. If a new window opens,
continue troubleshooting based on the error. If a new browser window is
not opened or the error does not contain helpful information,
right-click the application icon and choose
Save Target As. You
are prompted to save a text-based file containing pertinent ICA
connection information. Open this file in Notepad or any other text
editor. Verify that the file contains the correct IP address for ICA
connectivity to the MetaFrame server from outside of the firewall. The
line that contains this information is under the [Application Name]
heading and begins with Address=. If this file contains correct
information, attempt to launch the file from its saved location on the
computer by double-clicking the file. You can also attempt to connect to
this MetaFrame server as explained above in Step 2 and use the address
specified in the Address= line from the downloaded file. If
the installation is still not successful, it is important to note the
error received and at exactly which point the failure is occurring to
better understand the issue.