Cryptzone Support

 
If you wish to submit a support ticket please sign in to your customer portal or use the “submit a ticket” button at the top menu.
If you need to find documentation about our Sheriff Suite please login to the Hive- Click Here

 

Article

Using AppGate (classic) with the Citrix Web interface

« Go Back

Information

 
Article Number000001032
Article

This document outlines how to set up access to a Citrix Web Interface and Citrix farm though an AppGate system and still just use plain Port forwards.

The Citrix ICA protocol is normally using the TCP port 1494. That is no problem for the AppGate system. The problem is that we want to use this port number for access to multiple Metaframe servers and a restriction of a Port Forward is that is will only handle a single server at a time.

When using the AppGate Port Forwards we want the client applications, in this case the ICA-client, to actually connect to 127.0.0.1. We also want to use different port numbers and not only 1494.

So lets say we have a scenario where we have two different Metaframe servers 192.168.1.10 and 192.168.1.11 that we want to be able to reach at the same time.

Using te AppGate Port Forward mode we want a situation like this:

     

     -> 127.0.0.1:1500 ->                    -> 192.168.1.10:1494
     

     ICA-client                     AG Clnt -> AG Server
     

     -> 127.0.0.1:1501 ->                    -> 192.168.1.11:1494
     

As seen we don't use the port 1494 on the client side but instead 1500 and 1501. On the inside though we end up with the normal 1494 to not confuse the Metaframe servers.

In effect this is exactly the same thing as a Network and Port number translation (NAT/PAT). The Citrix Web Interface has full support for handling this.

  • In the Citrix Web Interface you need to:
    • Edit DMZ Setting:
      1. Add,
      2. [Enter the AppGates internal IP-number]
      3. Select "Translated"
      The IP-number is the IP-number that the Citrix Web interface server will see the traffic coming from. It will use this to recognize that clients coming this way needs address translation.
    • Edit Address Translation.

      Here we should add two translations:

       

      Internal IP address:192.168.1.10
      Internal port:1494
      External address:127.0.0.1
      External port:1500

       

      Internal IP address:192.168.1.11
      Internal port:1494
      External address:127.0.0.1
      External port:1501

    The above configuration of the Web interface affects the content of the .ica files that the Web Interface sends to the client computer. The .ica files are fed to the ICA-clients and they should try to make the correct connection to the awaiting Port Forwards on 127.0.0.1:1500 and 1501

    When the above is done we go back to the AppGate Server. To handle this we just need the following two components in an AppGate Service:

    • IP access 1:
      Destination host:192.168.1.10
      Destination port:1494
      Local port:1500
    • IP access 2:
      Destination host:192.168.1.11
      Destination port:1494
      Local port:1501

Notice the difference between Destination port and Local port.

Also notice the we are using IP-numbers as Destination host and not names. This make sure that we don't rely on nor use the "Write to hosts file" feature of the AppGate. This is very useful especially if we are going to use the AppGate Applet and can't rely on the user having admin privileges.

Note 1:

We want to use a predictable IP-number on the client (127.0.0.1 and not the 127.0.0.2 , .3 etc) we should do one of:

  • Do as in the above example and specify the "Destination host:" using IP-numbers and NOT names.
  • Set the client property "ag_useuniqueips=no"

Note 2:

In the above example we are using port 1500, 1501 etc. You may use any port numbers you want but it can be wise to check that the specific ports are normally free on the clients. It is also advisable to use numbers above 1024 as the lower port numbers requires privileges on certain platforms (e.g Mac OS X, Linux etc)

Note 3:

If the CGP-protocol is used (CGPAddress=*:2598 in the ica-file) only the port 2589 should be PortForwarded. The Citrix Translations should look like this to get the content of the .ica file right:

  • IP access 1:
    Internal IP address:192.168.1.10
    Internal port:2589
    External address:127.0.0.1
    External port:2590 (or something)
  • IP access 2:
    Internal IP address:192.168.1.10
    Internal port:1494
    External address:127.0.0.1
    External port:1489
Related File 
Additional Files 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255