check_by_citrix through nat'ed firewall

Tedman Eng teng at dataway.com
Wed Aug 11 05:05:09 CEST 2004
Previous message: check_by_citrix through nat'ed firewall
Next message: always notify on any result
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
An easier way would be to use a remote-check method (NRPE or NSCA)

The harder (proper?) way is to use Citrix built-in support for this scenario
(read below).  However, I don't think the plugin supports the
"UseAlternateAddress = 1" function that an external ICA client would have to
be configured with.  Perhaps the plugin-author can help you out here, or if
you're good at looking at packet sniffs, it seems like it could be added
with some trial and error and elbows and grease.


>From www.citrix.com  forum.

ICA Browsing With Firewall Address Translation (NAT)

Synopsis:

Some firewalls use IP address translation to convert private (Intranet) IP
addresses into public (Internet) IP addresses. Public
IP addresses are called "external" addresses because they are external to
the firewall, whereas private IP addresses are said to
be "internal" addresses.

Hosts on the internal network have one set of addresses that is translated
to another set when passing through the firewall. For
example, an internal host has a private address of 192.168.12.3. The
firewall translates this into a different public address such
as 206.103.132.20. To browse Citrix servers and published applications, the
Citrix ICA Client contacts a Citrix server and
requests the address of the ICA master browser. If the ICA Client is
external to the firewall, it must be configured to use the
public address of a Citrix server. The server returns the IP address of the
current master browser to the ICA Client. By default,
the IP address returned to the ICA Client is the internal address.

If the ICA Client is outside the firewall and the firewall is configured
for address translation, the IP address returned to the client
for the master browser is incorrect.

Details:

Returning External Addresses to ICA Clients

Use the Altaddr utility to configure the ICA browser server to return the
external IP address to Citrix ICA Clients. The Altaddr
utility sets an alternate address for the ICA browser on that machine. The
external address for the server is specified as the
alternate address. The Citrix ICA Client requests the alternate address
when contacting servers inside the firewall. The alternate
address must be specified for each server in a server farm.

To set an alternate address for a Citrix server

1. Determine the correct external IP address.

2. At a command prompt, type altaddr /set nnn.nnn.nnn.nnn, where nnn is the
alternate IP address determined in Step 1.

3. Reboot.

4. Repeat on each server in a server farm.

To configure a Winframe ICA Client to use an alternate address

1. Edit the Appsrv.ini file in the client directory.

2. Find the [TCP/IP] section.

3. Specify 1 for the UseAlternateAddress field. For example:

UseAlternateAddress = 1

4. Save the file.

-----Original Message-----
From: David Knutson [mailto:dknutson at sydran.com]
Sent: Tuesday, August 10, 2004 1:06 PM
To: nagios-users at lists.sourceforge.net
Subject: [Nagios-users] check_by_citrix through nat'ed firewall


I have 2 nagios servers, one inside my firewall and the other outside.  Our
firewall uses NAT.  When I use the command on the inside server, it works
just fine!  On the outside server it doesn't work.  On the outside server I
do the following (fake IP's)

The command:  ./check_citrix -C 10.1.1.1 -W Access  

responds with:  Failed No response to application query datagram from
192.168.1.1

The ip address in the response is the internal address of my server!  I ran
a debug and the check successfully connects to the master browser, but the
master returns the internal address for the server to contact, so the next
step - getting the app list - fails because it is using an invalid IP.  

Is there a solution to this, or am I limited to using this test only
internal?


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: check_by_citrix through nat'ed firewall
Next message: always notify on any result
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list