Using One Public IP Address for Multiple MetaFrame Servers with NFuse / Web Inte

RoyATokeshi
December 28, 2003 5:10 am

Citrix states in their article: CTX325481

CTX325481 - Using One Public IP Address for Multiple MetaFrame Servers with NFuse / Web Interface

This document was published at: http://support.citrix.com/kb/entry.jspa?externalID=CTX325481

Document ID: CTX325481, Created on: Feb 20, 2001, Updated: Sep 11, 2003

Products: Citrix NFuse Classic 1.7, Web Interface 2.0, Citrix NFuse 1.6, Citrix NFuse 1.5

This document explains how to use Network Address Translation to configure one public IP address for multiple MetaFrame servers.

For NFuse 1.7 and Web Interface 2.0, please refer to the Administrator’s Guide, currently page 81 for Web InterFace 2.0, section titled: Configuring Port Address Translation. It is advisable to read the entire section on Address Translation.

The Below section is applicable to Citrix NFuse 1.6

WARNING: This solution has been tested only through NFuse 1.6, the Citrix Program Neighborhood client will cease to function if this is implemented. This solution will not work with MetaFrame XP in Native Mode (IMA only). This solution can be used with MetaFrame 1.8/XP in Mixed Mode (IMA and ICA). Comparative functionality for the full Program Neighborhood Client is considered as an enhancement to MetaFrame 1.8/XP.

To connect to a MetaFrame server that is behind a firewall, Network Address Translation (NAT) must be used to configure a public IP address for your internal server. In the example below, there are three MetaFrame servers.

Server Name
Private/Internal IP Address
ICA Port

META1
10.1.1.1
1494

META2
10.1.1.2
1494

META3
10.1.1.3
1494

To connect to the servers using NFuse from the Internet, you need to have public IP addresses configured. Using a separate, unique IP address for each server may not be an attractive solution. Instead, use a single public IP address, but use a different port for each server. The table below shows our public IP address and the port that each server will use.

Server Name
Public IP Address
Public Port

META1
208.1.1.1
4001

META2
208.1.1.1
4002

META3
208.1.1.1
4003

To set the public IP address on the MetaFrame servers, use the altaddr command.

On META1, issue the command: altaddr /set 208.1.1.1:4001
On META2, issue the command: altaddr /set 208.1.1.1:4002
On META3, issue the command: altaddr /set 208.1.1.1:4003

NOTE: This solution may not work for all users. If an external user is behind a firewall, ports 4001, 4002, and 4003 need to be open for this solution to work. This may become an issue for companies that will not alter their firewall port configuration. When connecting through an ISP, this solution typically will work for the users.

On the firewall, configure the firewall rules to allow the traffic to get to the MetaFrame servers. Listed below are mock firewall rules for inbound traffic.

NOTE: One needs to understand how to configure port rules on your firewall to use this solution. Because of the large number of firewalls available, this document uses generic syntax that is not specific to any firewall.

Port Table for Inbound Firewall Traffic

Direction
Protocol
From Address
From Port
To Address
To Port

Inbound
TCP
208.1.1.1
4001
10.1.1.1
1494

Inbound
TCP
208.1.1.1
4002
10.1.1.2
1494

Inbound
TCP
208.1.1.1
4003
10.1.1.3
1494

Here is what the information in the table above means:

When a request sent from a client is trying to access the address of 208.1.1.1 on port 4001, the firewall has a rule that states the traffic gets routed to the private/internal IP address of 10.1.1.1 on port 1494. So in our example above, ports 4001, 4002, and 4003 need to be open on the firewall for ICA traffic.

The last step in the configuration is to modify the Template.ica file for the NFuse Web site. Find the line that reads:

Address=[NFuse_IPV4Address]

Modify the line to read:

Address=[NFuse_IPV4AddressAlternate]

Assuming that the information has been configured properly and the user is not behind a firewall with 4001, 4002, and 4003 blocked, users are now able to successfully connect to applications through NFuse.

The Below section is applicable to Citrix NFuse 1.5

WARNING: This solution has been tested only through NFuse, the Citrix Program Neighborhood client will cease to function if this is implemented. This solution will not work with MetaFrame XP in Native Mode (IMA only). This solution can be used with MetaFrame 1.8/XP in Mixed Mode (IMA and ICA). Comparative functionality for the full Program Neighborhood Client is considered as an enhancement to MetaFrame 1.8/XP.

Users have to connect internally from the LAN and externally from the Internet while using one known external IP address.

Note: This solution works for an NFuse site that uses Active Server Pages on Internet Information Server 5, but can be modified to work with any other type of NFuse web server that supports VBScript version 5.0. (IIS 4 currently does not)

1. Using the web site wizard, create two separate NFuse sites, named NFuse_internal and NFuse_external.

2. Locate the template.ica file within the NFuse_external directory. Within the [Wfclient] section change the Address=[NFuse_IPV4Address] to Address=[NFuse_IPV4AddressAlternate].

3. Create a default .asp page on your web server including the following:

<%Set ClientIPAddress = Request.ServerVariables("REMOTE_ADDR")

Set myRegExp = New RegExp myRegExp.pattern = "^10.3."

Set myMatches = myRegExp.Execute(ClientIPAddress)

IF myMatches.count > 0 THEN Response.Redirect ("http://NFuse_internal ") ELSE Response.Redirect ("http://NFuse_external") END IF %>

Replace the MyRegExp.pattern, in this example 10.3, with that of your internal subnet. If it matches the client will be redirected to the NFuse_internal site. Otherwise the client will be directed to the NFuse_external site.

4. Run ICAPORT.EXE and ALTADDR.EXE on each MetaFrame server. For example, on the server SRV1 you would need to issue the following two commands at a command prompt: icaport /port:1495 altaddr /set 206.3.2.1. These commands require a reboot of the server.

Repeat these commands on each MetaFrame server, being sure to assign a different ICA port to each server (1495 through
1497 in this example), but enter the same alternate address on every machine (206.3.2.1 in this example).

This will create situation like in the list below:

Server Name
Internal IP Address
Public IP Address
Internal Port
Public Port

SRV1
10.1.1.1
206.3.2.1
1494
1495

SRV2
10.2.2.2
206.3.2.1
1494
1496

SRV3
10.3.3.3
206.3.2.1
1494
1497

5. Add the additional ICA listeners by following these steps in the registry:

Save the following key out to a file: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsICA-tcp.

Save the file as ica.reg. Create a new key beneath WinStations that has a different name, such as HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsICA-tcp2

Highlight the new ICA-tcp2 key and select the Registry > Restore.,. menu.

Browse to find the ica.reg file you saved and allow the information to overwrite the ICA-tcp2 key.

Change the port number in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsICA-tcp2PortNumber to some value other than 1494

6. Then you would modify the Template.ica file with the items in bold below:

[[NFuse_AppName]]

<[NFuse_IFSESSIONFIELD sessionfield="NFUSE_IPV4_Address" value="10.1.1.1"]>

Address=[NFuse_IPV4AddressAlternate]:1495

<[/NFuse_IFSESSIONFIELD]>

<[NFuse_IFSESSIONFIELD sessionfield="NFUSE_IPV4_Address" value="10.2.2.2"]>

Address=[NFuse_IPV4AddressAlternate]:1496

<[/NFuse_IFSESSIONFIELD]>

<[NFuse_IFSESSIONFIELD sessionfield="NFUSE_IPV4_Address" value="10.3.3.3"]>

Address=[NFuse_IPV4AddressAlternate]:1497

<[/NFuse_IFSESSIONFIELD]>

InitialProgram=#[NFuse_AppName] DesiredColor=[NFuse_WindowColors] TransportDriver=TCP/IP WinStationDriver=ICA 3.0

Now NFuse will append the appropriate ICA port number to each server address based on their internal (private) IP address, effectively creating a load-balanced MetaFrame server farm with a single Internet IP address.

*** NOTE *** Adding additional ICA- Listeners via the registry is not supported.

7. Reboot to activate the additional listeners

The external NFuse users can connect through the ports different than 1494, because this different port will be parsed on the Template.ica file with the code modifications mentioned. At the same time, the internal users still use port 1494.



Primary links

Custom Search

User login

Who's new

  • japhabept
  • Rullydery
  • eagenorce
  • rittaarier
  • swasseZex

Who's online

There are currently 0 users and 5 guests online.

KrissysCorner.com RuthSwensonLaw.com CreativeLizardProductions.com

DISCLAIMER:

None of this has anything to do with us, someone else is responsible for the entire thing, and we have no idea who or why. We do not know anything about it. It may be alien life forms for all we know: we haven't a clue. You cannot blame us for anything that may result from your visit. That was entirely your own personal choice, made by you of your own volition, and without our knowledge. We do not, after all, have any control over you and cannot by any stretch of the imagination be expected to accept or acknowledge, be it legally or morally, any accountability for decisions made by you on an independent basis, utilizing your own free will, and without our intervention. We are therefore in no way, shape, or form answerable to anyone for any consequences arising from the aforementioned or indeed any other actions, similar or otherwise, because it was not us that did, or did not do anything. It is not even remotely our fault, and we are in no way prepared or willing to accept any liability, not even slightly, ever. We are, in fact completely and utterly blameless, in that it is definitely not our concern, and no blame can possibly be laid at our doorstep, even if we had one, the possession of which we hereby reserve as being entirely our own free choice. The onus is not on us at all, and furthermore, never has been. The entire matter is wholly beyond our control, and completely out of our hands, each of which are washed scrupulously clean of the whole business. We are not accountable for anything at all, and we hereby categorically deny all responsibility for all that has ever, or will ever happen. Our innocence is therefore wholly beyond doubt and absolutely unimpeachable, and so cannot, under even the remotest or unlikeliest circumstances, be brought into question. By clicking either on a link on this site, clicking on a link that leads to this site, or by arriving at this site by natural or supernatural means, you are in effect accepting responsibility for the fact that it is all entirely your own fault, down to the most miniscule detail, and that you are wholly accountable for whatever outcome may arise as a consequence of the aforementioned action or actions insofar as they were undertaken personally by you on an entirely voluntary basis and without any persuasion, coercion or influence from any party or parties other than yourself. Don't come sniveling to us, we are only figments of your imagination. I also agree that if I am ever with a contributor to this website during mealtimes I agree to pay for any super-sizing of their meal, or at least a nice dessert or one of those foo-foo drinks with an umbrella or a monkey. By admitting to have seen the worthless spineless drivel on this website (also known as content)

I Agree Wholeheartedly and Without Reservation to the above. (Except maybe for that part about the monkey.)

All Your Base Are Belong To Us.

Soylent Green Is People!

Never make a bet with a Sicilian when Death is on the Line!

No. Really, I do agree.