Jump to content


Photo

XenApp 7.6 server with Multiple NICs - how to Limit ICA to one NIC?

Started by John Richards , 08 February 2017 - 07:10 PM
21 replies to this topic

Best Answer John Richards , 17 February 2017 - 01:52 PM

I understand the roll of storefront vs broker, but with WI it was possible to build a static NAT table, so the ICA file would include an alternate IP address.   That's what I meant by storefront sending the ICA connections to production, but that capability disappeared when going from WI to Storefront.

  

    Here is where it all falls apart: The delivery controllers are only on the management subnet, they do not have an interface on the production subnet.    The management subnet can access anything on the Prod subnet, so the delivery controllers can connect to 80 on the production subnet NIC's.  The production subnet cannot open connections back to management, so those interfaces cannot connect to port 80 on the delivery controllers.   

 

   I had no part in setting up any of this, I just walked into the middle of it. Would adding a production subnet NIC to the delivery controllers help resolve this?

John Richards Members

John Richards
  • 19 posts

Posted 08 February 2017 - 07:10 PM

Our XenApp servers are requited to have 4 NIC's, but users only have access to the production NIC.   How do we limit the ICA connections to the production NIC?



John Richards Members

John Richards
  • 19 posts

Posted 09 February 2017 - 03:34 PM

A little more info - we are adding new servers and delivery groups to an existing farm. 

 

All of the pre-existing hosts are multi-homed, and ICA connections are only being sent to the production NIC, but ICA is listening on all of the NIC's. 

 

 

   On the new servers, Storefront is telling client systems to connect to the wrong NIC. On the existing servers, it sends them to the production NIC.    Where is this configured? Is it part of the store? Delivery Group? Server?



Pavan nannapaneni Members

Pavan nannapaneni
  • 1,093 posts

Posted 09 February 2017 - 04:40 PM

This should be done on the VDA. you can't set this in studio or using powershell on controllers.



John Richards Members

John Richards
  • 19 posts

Posted 09 February 2017 - 06:31 PM

we are on the right track here... the get-brokermachine gives the internal "non production" IP.

 

     But are you sure on that syntax?  There are systems in production in the farm.  I need to make sure I do not impact them and I don't see how that command will know which system's properties to set.



John Richards Members

John Richards
  • 19 posts

Posted 09 February 2017 - 07:48 PM

when I try to set the IPAddress property on the machine it errors and says the property can not be set.



Pavan nannapaneni Members

Pavan nannapaneni
  • 1,093 posts

Posted 10 February 2017 - 09:57 AM

This should be done on the VDA. you can't set this in studio or using powershell on controllers.



Dennis Parker Members

Dennis Parker
  • 30 posts

Posted 10 February 2017 - 11:23 PM

Just to be a hopefully be a little clearer Pavan is saying:

 

$brokermachine = get-brokermachine -MachineName "<domainname>\<servername>"

$brokermachine = "x.x.x.x"

 

I might instead try this myself though:

 

get-brokermachine -MachineName "<domainname>\<servername>" | set-brokermachine -AssignedIPAddress "x.x.x.x"

 

I have not tested either though. Use at your own risk. :)



John Richards Members

John Richards
  • 19 posts

Posted 13 February 2017 - 04:13 PM

Pavan - you've repeated "This should be done on the VDA" - OK, great.  HOW is it done on the VDA?

 

  I am flabbergasted that I can not find documentation on this pretty basic configuration issue.



Julian Mooren Members

Julian Mooren
  • 48 posts

Posted 13 February 2017 - 05:36 PM

Hi John, you could allow port 1494/2598 over the production nic by configuring the firewall.

John Richards Members
  • #10

John Richards
  • 19 posts

Posted 13 February 2017 - 06:36 PM

Julian, it's already allowed - the problem is that the broker and storefront only send users to the management NIC. My subject line could have been clearer:  It's not a matter of limiting the ICA connections, it's a matter of sending user's ICA connections to a NIC they have access to. 

  We really don't care that ICA is available on other NIC's, but end users have no access to those NIC's



Julian Mooren Members
  • #11

Julian Mooren
  • 48 posts

Posted 13 February 2017 - 09:28 PM

What about changing the priority of your nic interfaces? The nic which should handle ICA traffic should be on top.

1.) Open the "Network and Sharing Center" and open the Adapter properties.
2.) Press the "Alt" key to get the menu strip, click on "Advanced" and "Advanced Settings"

Hope this helps :)

Pavan nannapaneni Members
  • #12

Pavan nannapaneni
  • 1,093 posts

Posted 14 February 2017 - 02:09 PM

By default LanAdapter for ICA is set to 0x00000000(0) on the VDA in the below locations, to force ICA traffic to listen on a perticular NIC only  change the value to your LanAdapter dword value, ie., 0x00000001(1) or 0x00000002(2) depending on whichever is your production NIC:

 

Default : LanAdapater dword 0x00000000(0) (this setting will allow all NIC's to listen for ICA traffic"

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-CGP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-CGP-1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-CGP-2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-CGP-3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-HTML5

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-TCP

 

give a reboot and test the ICA listener by doing a netstat -an | find "1494" or "2598"

 

use PoSH on the delivery controller and check to make sure get-brokermachine is now showing a single IP.

 

Let me know if this worked as i've tested with multiple nics in my lab on Windows 2016 and it worked and it wont be any different on windows 2012.



John Richards Members
  • #13

John Richards
  • 19 posts

Posted 14 February 2017 - 03:13 PM

That worked, at least to the point that the ICA listener is only listening on the prod address.   But get-brokermachine still only displays the management IP (it has never displayed all 4 IP's).  

 

When I try to open a test app the .ica file still contains the management IP, not the prod IP and the session does not establish. 



John Richards Members
  • #14

John Richards
  • 19 posts

Posted 14 February 2017 - 04:15 PM

I had already set the priority on the NIC's  - prod 1, mgt 2, etc.



Pavan nannapaneni Members
  • #15

Pavan nannapaneni
  • 1,093 posts

Posted 14 February 2017 - 06:45 PM

Hi John,

 

below will work :

 

make sure there are no duplicate DNS address registrations i.e., for prod 1, mgt 2 with the same FQDN in DNS:

 

disable on mgt2

  • register this connection addresses in DNS in the advanced TCP/IP settings
  • ipconfig /flushdns on VDA and delivery controllers

Automatic Metric:

  • on prod1 NIC in advanced TCP/IP settings, uncheck automatic metric and stick 1 in the box.
  • on mgt2 NIC in advanced TCP /IP settings, uncheck automatic metric and stick 2 in the box

restart Desktop service on VDA and this will now reflect the new prod1 IP in the studio i've tested this multiple times by change the metric and it does reflect straight away.

 

i've tried other stuff changing priority order but didn't make any difference. but the above always works.



John Richards Members
  • #16

John Richards
  • 19 posts

Posted 14 February 2017 - 08:42 PM

  The management interface can not be disabled - the domain lives on that subnet.  The prod IP cannot reach domain controllers, so disabling the management interface results in no logon server available, and no communication with the farm.

 

  The IP's all have separate DNS names -  for example, Server.domain.com, server-prd.domain.com are DNS names for interfaces on the same server. 

 

      The metrics are what I meant when I said "priority" - prod is already "1", mgt "2"



Pavan nannapaneni Members
  • #17

Pavan nannapaneni
  • 1,093 posts

Posted 15 February 2017 - 06:52 AM

ok as long as the DNS names are different that should be fine. did you manually change the metrics in advanced tcp/IP settings as indicated in the NIC properties to 1 & 2.



John Richards Members
  • #18

John Richards
  • 19 posts

Posted 15 February 2017 - 01:50 PM

Yes, I unchecked automatic metrics on all 4 NIC's, and added the values 1 through 4, with the prod NIC as #1. 

   The way the network is setup, all of the communication between farm servers and to the domain  is on the management LAN,  The prod subnet can not reach the management subnet.   

     I know how I'd fix this in the old web interface, which would be to treat the prod IP's as static NAT, is that possible in Storefront?



John Richards Members
  • #19

John Richards
  • 19 posts

Posted 15 February 2017 - 02:11 PM

I just found my answer on setting it up as a NAT... Not without Netscaler... grrrrrrrrrr



John Richards Members
  • #20

John Richards
  • 19 posts

Posted 16 February 2017 - 08:15 PM

     So, where we are apparently at is that since the prod NIC cannot talk to the delivery controller, it does not even appear in machine broker, so there is no way to get Storefront to send connections to it, and a static NAT requires a Netscaler, which is not really a viable option for us.  

    That leaves me pretty much twisting in the wind.  I'm getting pinged in private discussion to mark this solved, but since it there is no solution, I'm not inclined to mark it as solved.