If you want to connect to your XenApp externally via Web interface to launch your apps and you don’t use CAG (Citrix Access Gateway) or CSG (Citrix Secure Gateway) but your environment uses a 3rd party router or firewall, you can use the XenApp CLI command ALTADDR to provide your XenApp an external IP address. The AltAddr command tells XenApp to send the user an ICA file with a different IP in it that can be resolved by the users device in order to get a connection to the applications they need.
ALTADDR is part of the Citrix CLI commands and it is installed automatically when you install Citrix XenApp Server.
the syntax is:
ALTADDR /set x.x.x.x (where x.x.x.x is the alternate external IP address of the XenApp server)
Example: Let’s say you have a XenApp server with the internal/private IP address of 192.168.1.62. Also, let’s say your router/firewall has an external static IP address of 188.8.131.52 or let’s say that IP ending in 77 is the public IP address that you obtained for your XenApp server
With that information in hand, you need to do a few things to enable the alternate address:
1. On the Xen app server, open the CLI (with admin privileges) and issue the CLI command: ALTADDR /set 184.108.40.206
2. Restart the IMA service of the Xen App server (make sure no users are logged in)
3. Go to your router/firewall and create two NAT’d entries:
The first entry: pointing the external IP ending in 77 to the internal ip ending in 62 via port 1494
The second entry: pointing the external IP ending in 77 to the internal ip ending in 62 via port 2598 (note: add the 2nd entry only if you use session reliability; my question is: why not? if you are on an external WAN connection?)
4.Go to your Web Interface server, select the Web Site you created and click on “Secure Access” Then add an ALTERNATE connection
5. Finally, on your workstation enter the external ip address of the XenApp server or the FQDN of the site and make sure you can login, enumerate the apps and launch the applications;
On the CLI type: ALTADDR to find out is there is already one alternate address configured; if none, nothing will be returned.
On the CLI type: ALTADDR /delete – This command will delete the default alternate address on the specified server
Citrix E-Docs – XenApp Commands Reference: ALTADDR:
If the administrator is unable to run the ALTADDR command, Grant the user Modify permissions on the following registry key:
or check this CTX article.
Make sure your router/firewall has NAT enabled. You are actually enabling NAPT here
Make sure your firewall is configured to allow inbound connections to the server on TCP 1494 (and 2598 for session reliability)
PROFESSOR HAT in action:
Private IP Addresses: 10.x.x.x; 172.16.x.x; or 192.168.x.x. Private IP addresses are not routable on the Internet; They are only used in LAN’s
WHY NAT? There is a maximum of 255(elevated to the 4th power) IP addresses in the IPv4 scheme which comes out to: 4.3 billion addresses now, considering the amount of technology that’s out there, that is just not enough. In order to combat this, The Internet Engineering Task Force (IETF) came up with NAT (for the nerds and geeks out there this is the RFC.
So what does NAT do? It allows you to have one (or slightly more) public IP addresses and translate them into private IP addresses. You get more IPs to work with and the Internet still knows how to communicate with you. Usually this is accomplished using a router
DrawBacks of NAT and NAPT:
“Network address translation has serious drawbacks on the quality of Internet connectivity and requires careful attention to the details of its implementation. In particular, all types of NAT break the originally envisioned model of IP end-to-end connectivity across the Internet and NAPT makes it difficult for systems behind a NAT to accept incoming communications. As a result, NAT traversal methods have been devised to alleviate the issues encountered” (source: Wikipedia) http://en.wikipedia.org/wiki/Network_address_translation
NAT Analogy to the Phone system in the office:
A NAT device is similar to a phone system at an office that has one public telephone number and multiple extensions. Outbound phone calls made from the office all appear to come from the same telephone number. However, an incoming call that does not specify an extension cannot be transferred to an individual inside the office. In this scenario, the office is a private LAN, the main phone number is the public IP address, and the individual extensions are unique port numbers (source: Wikipedia )