Hi, There is a Technical forum at www.Citrix.com site that has the answer you need. I had the same problem and fixed it as stated below from an excerpt on that web site. There are 2 scenarios. I used the first one successfully. regards, James Gulli Network Specialist IBM Network Services, Australia ==================================================================================== >From www.citrix.com forum. ICA Browsing With Firewall Address Translation (NAT) Synopsis: Some firewalls use IP address translation to convert private (Intranet) IP addresses into public (Internet) IP addresses. Public IP addresses are called "external" addresses because they are external to the firewall, whereas private IP addresses are said to be "internal" addresses. Hosts on the internal network have one set of addresses that is translated to another set when passing through the firewall. For example, an internal host has a private address of 192.168.12.3. The firewall translates this into a different public address such as 206.103.132.20. To browse Citrix servers and published applications, the Citrix ICA Client contacts a Citrix server and requests the address of the ICA master browser. If the ICA Client is external to the firewall, it must be configured to use the public address of a Citrix server. The server returns the IP address of the current master browser to the ICA Client. By default, the IP address returned to the ICA Client is the internal address. If the ICA Client is outside the firewall and the firewall is configured for address translation, the IP address returned to the client for the master browser is incorrect. Details: Returning External Addresses to ICA Clients Use the Altaddr utility to configure the ICA browser server to return the external IP address to Citrix ICA Clients. The Altaddr utility sets an alternate address for the ICA browser on that machine. The external address for the server is specified as the alternate address. The Citrix ICA Client requests the alternate address when contacting servers inside the firewall. The alternate address must be specified for each server in a server farm. To set an alternate address for a Citrix server 1. Determine the correct external IP address. 2. At a command prompt, type altaddr /set nnn.nnn.nnn.nnn, where nnn is the alternate IP address determined in Step 1. 3. Reboot. 4. Repeat on each server in a server farm. To configure a Winframe ICA Client to use an alternate address 1. Edit the Appsrv.ini file in the client directory. 2. Find the [TCP/IP] section. 3. Specify 1 for the UseAlternateAddress field. For example: UseAlternateAddress = 1 4. Save the file. The Citrix ICA Client tells the server to send the alternate address specified with the Altaddr utility. To configure a Metaframe ICA Client to use an alternate address 1. Open Remote Application Manager 2. Click on the Options Pull Down Menu and select Settings 3. Select the Server Location tab 4. Under Network Protocol choose TCP/IP 5. Under Address List enter the IP address of the server 6. Check the box on the bottom for Use alternate address for firewall connection See Appendix A, "MetaFrame Command Reference," in the MetaFrame Administrator's Guide for more information on the Altaddr utility. In addition to specifying the alternate address on the Citrix server, configure the ICA Client to request the alternate address when contacting the master browser. Checklist for Connecting to a Citrix Server by ICA Link on Web Page Synopsis: The recommended set up for this Web Computing Solution is to have your Web server outside the firewall and have your Citrix servers inside the firewall. Details: Checklist Firewall 1. A valid external IP address(es) has been mapped to the Citrix server(s) inside the firewall. 2. Port 1494 for TCP/IP is opened. 3. Port 1604 for UDP is open Inbound on the firewall. 4. Port 1023 and above (The High Ports) are opened for TCP and UDP outbound. Citrix Server Run the ALTADDR utility on the Citrix server(s). Each Citrix server that is mapped from the firewall must be mapped to the corresponding address on the firewall. This is done from the command line and must be done from each Citrix server that is mapped to an alternate address. Example: ALTADDR /SET InternalIPAddress ExternalIPAddress Given that the internal IP address of a Citrix server is 10.3.2.1 and the firewall has mapped an External IP address of 208.140.11.10, from that Citrix server you would specify at a command line: ALTADDR /SET 10.3.2.1 208.140.11.10 The ICA File After you publish the application and select to write an ICA file, you must make the necessary modifications in order to connect to the published application. Example of an ICA File That Has Not Been Modified [WFClient] Version=2 TcpBrowserAddress=10.3.2.1 (internal IP address of the server) TcpBrowserAddress2=10.3.2.218 (internal IP address of another server on network) IpxBrowserAddress=0:000C04C7F09C IpxBrowserAddress=0:009987CF80FD NetBiosBrowserAddress=WHATEVER NetBiosBrowserAddress2=DAKOTA [ApplicationServers] PubAppName= [PubAppName] Address=PubAppName InitialProgram=#PubAppName DesiredHRES=640 DesiredVRES=480 DesiredColor=2 TransportDriver=TCP/IP WinStationDriver=ICA 3.0 The Same ICA File Modified to Work [WFClient] Version=2 TcpBrowserAddress=208.140.11.10 (External IP Address of the Citrix Server) UseAlternateAddress=1 (this has been added for address translation) [ApplicationServers] PubAppName= [PubAppName] Address=PubAppName InitialProgram=#PubAppName DesiredHRES=640 DesiredVRES=480 DesiredColor=2 TransportDriver=TCP/IP WinStationDriver=ICA 3.0 NOTE: We have removed the NetBiosBrowserAddress, NetBiosBrowserAddress2, and both the IpxBrowserAddress and IpxBrowserAddress2. These are not needed and it is recommended that these be removed, leaving only one TcpBrowserAddress entry. Security is always an issue with Web computing. Citrix offers SecureICA Services that can be used to encrypt data that is transported between the client and the server. This is an excellent solution for this type of computing environment. ================================================================================================= - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
