Novell Home

AppNote: How to Configure and Troubleshoot iChain 2.3 Issues Accelerating a Citrix MetaFrame Server

Novell Cool Solutions: AppNote
By Neil Cashell

Digg This - Slashdot This

Posted: 24 Nov 2004
 

(15 Nov 2004 - Updated with Citrix MetaFrame Presentation Server information)

Installation QuickStart for iChain 2.3 and Citrix

The following example outlines the key steps required to get iChain working with a Citrix Nfuse solution (references throughout this document are for Citrix MetaFrame XP 1.0 for Windows Feature Release 2 and 3, as well as the Citrix MetaFrame Presentation Server release version 3).

Note:

  1. Before attempting to configure iChain to accelerate the Citrix servers, one must first make sure that access to the citrix servers directly from an ICA client works. When confirming this, identify the parameters from the login page required to successfully sign on to the Nfuse (or Citrix WebInterface) server. For the purpose of the appnote, the Nfuse and Citrix WebInterface server notation is used interchangeably.
  2. Assumption made that administrator knows how to create an authentication profile, and populate the 'Access Control' tab in the iChain GUI.

Configuration steps:

  1. Using ConsoleOne, define a protected resource for both the Nfuse and Metaframe servers. The Metaframe protected resource (citrix.novell.com below) can be defined with any mode (public, restricted or secured) but the Nfuse protected resource (nfuse.novell.com below) must be defined such that authentication is required (either restricted or secured).
    No OLAC parameters need to be defined for either protected resource.



  2. Create an iChain accelerator for the Citrix Nfuse server (nfuse.novell.com, as in the example above)
    1. The Web Server IP address must be the IP address of the back end Nfuse server.
    2. The Accelerator IP address must be a unique IP address on the iChain proxy server.
    3. The 'Alternate Host Name' must match the host HTTP header expected by the back end Web server hosting the Nfuse software
    4. Authentication must be enabled for that accelerator and any authentication profile (ldap, radius or mutual) can be used with that accelerator.


  3. Create an iChain accelerator for the Citrix metaframe (citrix.novell.com) server(s)
    1. Insert the TCP port that the metaframe servers listen out on in the Web server port. Note that most MetaFrame servers will listen out on TCP 1494.
    2. Specify the Metaframe server IP address in the 'Web Server Addresses' field. If multiple Metaframe servers exist in a Citrix farm, add multiple entries in this field for each Metaframe server in the farm
    3. Do not enable 'authentication' for this accelerator
    4. Enter a unique IP address in the 'Accelerator IP addresses' field. This address cannot be the same as the Nfuse accelerator IP address.
    5. Set the 'Alternate Host Name' to the host HTTP header expected by the back end Web server hosting the Metaframe software. In the example below, the 'Alternate Host Name' matches that specified in the Nfuse accelerator setup because the Nfuse and MetaFrame back end servers were running on the same machine.


  4. Enable FormFill for the iChain server.
    1. Tick the enable Form fill authentication in the 'Access Control' Tab of the iChain Web GUI.


  5. Modify the DNS entries for the Nfuse server (nfuse.novell.com in our example) and MetaFrame (citrix.novell.com in our example) server(s) so that they resolve to the IP addresses of the iChain accelerators for those services. Use PING to confirm that the resolution is successful.


  6. Using a browser, access the Nfuse server (nfuse.novell.com in our example) and make sure that the iChain login page appears.



  7. Enter the iChain credentials (username, password and context) and confirm that the NFuse login page appears.



  8. Note: If a pop up menu is displayed on the browser asking for the username and password, then it is most likely that the back end Web server and not Nfuse is requesting authentication (using NTLM or basic authentication). If this is the case, disable authentication for this URL at the Web server so that the Nfuse form based authentication is enabled, and only the above login page is displayed.

  9. Using ConsoleOne, select the ISO object and click the 'FormFill Policy' TAB.



    Edit the FormFill policy so that users authenticating to iChain can single sign on to the back end Nfuse server. The form below shows the sample entry required to single sign on to an Nfuse server running either MetaFrame XP 1.0 for Windows Feature release 2 or 3.

    Note:
    1. The assumption below is that the iChain login credentials are the same as the Citrix login credentials. If this is not the case, remove the cn and password keywords after the ~ in the 'value=' string below, so that we store the credentials in the users iChainFormFillCrib attribute. See the iChain formfill documentation for more details.

    2. The login pages that the formfill profiles below are based on are showed in the appendix section.


  10. <!-- This is an example form fill policy for logging in to Nfuse -->   
    <!-- Login page corresponding to this script shown in appendix below --> 
    <!-- MetaFrame XP 1.0 for Windows Feature release 2 --> 
    <urlPolicy>        
    <name>MetaFrameLogin</name>        
    <url>nfuse.novell.com/Citrix/NFuse17/login.asp</url>          
    <formCriteria>          
    <title>MetaFrame XP Login</title>        
    </formCriteria>    
    <actions>             
    <fill>              
    <input name="user" value="~cn">             
    <input name="password" value="~password">            
    <input name="domain" value="~">        
    </fill>          
    <post/>         
    </actions>   
    </urlPolicy>  
    <!- end of MetaFrame login -->   
    <!-- This is an example form fill policy for logging in to Citrix WebInterface -->  
    <!-- Login page corresponding to this script shown in appendix below --> 
    <!-- MetaFrame XP 1.0 for Windows Feature release 3 -->
    <urlPolicy>
    <name>MetaFrameLogin</name>
    <url>nfuse.novell.com/Citrix/MetaFrameXP/default/login.asp</url>
    <cgiCriteria>
       ClientDetection=On
    </cgiCriteria>
    
    <injectStaticValue>
       state=LOGIN&LoginType=Explicit&Log+In.x=47&Log+In.y=6
    </injectStaticValue>
    
    <actions>
       <fill>
          <input name="user"     value="~cn">
          <input name="password" value="~password">
          <input name="domain" value="~">         
        </fill>
        <post/>
        </actions>
    </urlPolicy>
    
    <!-- This is an example form fill policy for logging in to Web Interface for Citrix MetaFrame Presentation
     Server version 3.0 --> 
    <urlPolicy>
    <name>MetaFrameLogin</name>
    <url>nfuse.novell.com/Citrix/MetaFrame/default/login.aspx</url>
    <actions>
    <fill>
    <input name="user" value="~cn">
    <input name="password" value="~">
    </fill>
    <post/>
    </actions>
    </urlPolicy>
    <!- end of MetaFrame login -->
  11. Unload SSO and reload SSO at the iChain server console to make sure that all changes are registered with the proxy.


  12. Using a browser, access the Nfuse server (nfuse.novell.com in our example) again and make sure that the iChain login page appears. Enter the iChain credentials and then enter the NFuse credentials on the Nfuse login page



  13. Close and restart the browser, and access the Nfuse server (nfuse.novell.com in our example) again. Enter the iChain credentials into the iChain login page and confirm that you are automatically authenticated to the NFuse server at the Nfuse login page. You should now see a list of available Citrix applications for that user.



  14. Edit the FormFill policy so that Citrix users can run applications on the back end MetaFrame server. The form below shows the sample entry required rewrite the ICA file contents associated with all Citrix applications to a form required by iChain. This form is specific for Citrix servers running MetaFrame XP 1.0 for Windows and the Presentation Server software. The addresses and host names correspond to those we have been using in the example from the start.


  15. <!-start of secure tunnel to MetaFrame through NFuse -->
    <urlPolicy>
    <name>NFuseTest</name>
    <url>nfuse.novell.com/Citrix/NFuse17/launch.asp</url>
    <actions>
    <icaFill>
    <icaOriginal>
    [WFClient]
    </icaOriginal>
    <icaReplace>
    [WFClient]
    ProxyHost = citrix.novell.com:80
    ICHAIN-TOKEN = 30
    </icaReplace>
    <icaMetaPrivateAddress>
    Address=151.155.164.200
    </icaMetaPrivateAddress>
    <icaMetaPublicAddress>
    Address=citrix.novell.com
    </icaMetaPublicAddress>
    </icafill>
    </actions>
    </urlPolicy>
    <!- end of secure tunnel to MetaFrame through NFuse -->  
    <!-start of secure tunnel to Citrix MetaFrame Presentation server
    through NFuse --> 
    <urlPolicy>
    <name> NFuseTest</name>
    <url> nfuse.novell.com/Citrix/MetaFrame/default/launch.*</url>
    <actions>
    <icaFill>
    <icaOriginal>
    [WFClient]
    </icaOriginal>
    <icaReplace>
    [WFClient]
    ProxyHost = citrix.novell.com:80
    ICHAIN-TOKEN = 30
    </icaReplace>
    <icaMetaPrivateAddress>
    Address=151.155.164.200
    </icaMetaPrivateAddress>
    <icaMetaPublicAddress>
    Address=citrix.novell.com
    </icaMetaPublicAddress>
    </icaFill>
    </actions>
    </urlPolicy>
    <!- end of secure tunnel to MetaFrame Presentation Server
    through NFuse -->
    For more information on each of the fields in the formfill script, consult with the iChain 2.3 documentation.

    Note:
    1. If multiple Metaframe servers exist in a Citrix farm, add the IP address for each MetaFrame server into the section of the above profile. The IP addresses listed here MUST match those defined in section 3.2 above.

    2. The formfill script above is very sensitive to extra TAB and blank spaces, which can cause formfill to not recognise a matching profile when processing a URL. Remove any upwanted TAB or blanks from the above profile.

  16. At the command line interface, enable the tunnelauthforica SET command for the metaframe accelerator using the following syntax below and apply the changes:
    set accelerator <mframe_accelerator_name> tunnelauthforica = yes
    For our sample metaframe accelerator citrixmf, the accelerator settings should look like the following:



  17. Unload and reload SSO.NLM at the iChain Proxy server console after making the changes


  18. Using a browser, access the Nfuse server (nfuse.novell.com in our example) again. Enter the iChain credentials into the iChain login page and confirm that you are automatically authenticated to the NFuse server at the Nfuse login page.


  19. Select one of the applications displayed and confirm that the application is displayed on the client machine.

Information Flow

To better troubleshoot Citrix issues with iChain 2.3, one needs to understand the flow of traffic that takes place when the Citrix ICA client talks to back end Nfuse or MetaFrame servers. This section will outline this flow and also includes an analysis of a LAN trace describing the packets one will see on the wire.

a) High level event flow (Using the diagram below as a reference)

Assumption is that the Nfuse server is used to extract the applications available for users. If this is not the case, administrators must manually configure the ICA file and place it on a secured Web server instead.

  1. The user of an ICA client uses browser and logs in to iChain to access NFuse web portal.


  2. The portal server prompts the user to login for accessing ICA services. (Note: FormFill can be used here to remember the user's credentials for single sign-on).


  3. The portal server reads the user's information and uses the NFuse Java objects to forward that information to the Citrix XML Services, on port 80, running on a designated MetaFrame server in the server farm. This designated MetaFrame server acts as a broker between the Portal server and the MetaFrame server farm.


  4. The Citrix XML service on the designated server retrieves a list of applications that the user is authorized to access. It forwards this information to the NFuse portal server.


  5. The NFuse uses the its Java objects to generate an HTML page containing links to the applications. Each hyperlink in the HTML page points to the template.ica file store on the Nfuse. This file serves as a template that NFuse uses to dynamically generate customized ICA files.


  6. When the user clicks on a published application link, the browser sends a request to the NFuse server to request an ICA file for the selected application. ICA files are text files containing parameters that configure ICA sessions properties such as the application to run in the session, the address of the server that executes the application, and properties of the window in which to display the application. ICA files written in .ini file format and have an .ica extension.

    The NFuse server passes his request to the NFuse Java objects, which retrieve the template ICA file. The template file contains substitution tags. The NFuse Java objects replace the substitution tags in the template ICA file with the specific to the user and desired application. The NFuse Java objects then send the customized ICA file to the browser.


  7. iChain filters (sso.nlm) the template ICA file and rewrites the parameters with a Proxy setting. The Proxy login username is injected with a one-time iChain token. IChain sends the modified ICA file to the browser (iChain modifies the ICA file to configure iChain as a forward proxy for the ICA client)


  8. The browser passed the ICA file to the ICA Client. Base on the ICA file, the ICA client launches an ICA session to iChain.


  9. The ICA client treats iChain as a secure forward proxy with authentication enabled. When the ICA client requests iChain to create a secure tunnel, iChain challenges the client for the one-time token. The ICA client submits the one-time iChain token for authentication. IChain validates the token and creates a tunnel for the client. From now on the ICA traffic flows through the tunnel.

b) LAN Trace analysis

The following section describes the key packets from LAN Trace (post authentication to Web server or Nfuse). The number at the start of every paragraph corresponds to the frame number in the trace. The IP addresses referenced in the trace correspond to the following hosts:

Browser with ICA plugin: 147.2.16.199
iChain Accelerator:
Primary interface -- 147.2.16.112
Nfuse Authentication Server - 147.2.16.115 (nfuse.novell.com)
Metaframe Citrix server - 147.2.16.113 (mframe.novell.com) Citrix Nfuse and MetaFrame server: 151.155.164.200
  1. Request to access wordpad application from ICA client. The request will be sent to the Web server hosting the ICA files for the application (most commonly the Nfuse server). In this example, the ICA file is stored on the Nfuse server and hence the request from the ICA client goes to the Nfuse accelerator on iChain.
    - - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "    M ","     1","0.000.000    ","[147.2.16.115]  ","[147.2.16.199]  ","  964 ","HTTP"," C Port=1842 
    GET /Citrix/NFuse17/launch.asp?NFuse_Application=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad HTTP/1.1"
    DLC: Ethertype=0800, size=964 bytes
    IP:  D=[147.2.16.115] S=[147.2.16.199] LEN=930 ID=60810
    TCP: D=80 S=1842     ACK=2644409152 SEQ=1601757634 LEN=910 WIN=64512
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  GET /Citrix/NFuse17/launch.asp?NFuse_Application=Wordpad&NFu
          HTTP:           se_AppFriendlyNameURLEncoded=Wordpad HTTP/1.1
          HTTP: Line  2:  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
          HTTP:            application/vnd.ms-powerpoint, application/vnd.ms-excel, ap
          HTTP:           plication/msword, application/x-shockwave-flash, */*
          HTTP: Line  3:  Referer: http://nfuse.novell.com/Citrix/NFuse17/appli
          HTTP:           st.asp?NFuse_currentFolder=
          HTTP: Line  4:  Accept-Language: en-us
          HTTP: Line  5:  Accept-Encoding: gzip, deflate
          HTTP: Line  6:  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.
          HTTP:           0)
          HTTP: Line  7:  Host: nfuse.novell.com
          HTTP: Line  8:  Connection: Keep-Alive
          HTTP: Line  9:  Cookie: icaClientCode=1; icaObjectCode=1; icaBrowserCode=1;
          HTTP:           icaScreenResolution=1280x1024; NFuseMode=NFuse%5FCurrentFold
          HTTP:           er=&NFuse%5FWindowType=seamless; NFuseUseSavedFolder=On; NFu
          HTTP:           seLogin=NFuse%5FLogonMode=Explicit; novell_language=en-us; i
          HTTP:           sFScommandSup=1; IPCZQX02f7d8ed19=54ddf24d0ce6c75faa33dd1c00
          HTTP:           188103fdf175f8; ASPSESSIONIDSSSRSAAB=GLOHJPPBJNJHNGNGOGBJOPA
          HTTP:           F
          HTTP: Line 10:  
          HTTP:  


  2. ICA client request for application forwarded by iChain to back end Nfuse Server (where ICA file is located). Note that the source IP address is the primary interface and not the Nfuse accelerator IP address. This is simply IP adding the source IP address of the interface the packet is being sent out on.
    - - - - - - - - - - - - - - - - - - - - Frame 2 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","     2","0.001.539    ","[151.155.164.200] ","[147.2.16.112]  ","  997 ","HTTP"," C Port=2315 
    GET /Citrix/NFuse17/launch.asp?NFuse_Application=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad HTTP/1.1"
    DLC: Ethertype=0800, size=997 bytes
    IP:  D=[151.155.164.200] S=[147.2.16.112] LEN=963 ID=57428
    TCP: D=80 S=2315     ACK=376883539 SEQ=4200104649 LEN=943 WIN=64511
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  GET /Citrix/NFuse17/launch.asp?NFuse_Application=Wordpad&NFu
          HTTP:           se_AppFriendlyNameURLEncoded=Wordpad HTTP/1.1
          HTTP: Line  2:  Connection: keep-alive, TE
          HTTP: Line  3:  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
          HTTP:            application/vnd.ms-powerpoint, application/vnd.ms-excel, ap
          HTTP:           plication/msword, application/x-shockwave-flash, */*
          HTTP: Line  4:  Referer: http://nfuse.novell.com/Citrix/NFuse17/appli
          HTTP:           st.asp?NFuse_currentFolder=
          HTTP: Line  5:  Accept-Language: en-us
          HTTP: Line  6:  Accept-Encoding: gzip, deflate
          HTTP: Line  7:  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.
          HTTP:           0)
          HTTP: Line  8:  Host: nfuse.novell.com
          HTTP: Line  9:  Cookie: icaClientCode=1; icaObjectCode=1; icaBrowserCode=1;
          HTTP:           icaScreenResolution=1280x1024; NFuseMode=NFuse%5FCurrentFold
          HTTP:           er=&NFuse%5FWindowType=seamless; NFuseUseSavedFolder=On; NFu
          HTTP:           seLogin=NFuse%5FLogonMode=Explicit; novell_language=en-us; i
          HTTP:           sFScommandSup=1; ASPSESSIONIDSSSRSAAB=GLOHJPPBJNJHNGNGOGBJOP
          HTTP:           AF
          HTTP: Line 10:  TE: chunked, identity, deflate
          HTTP: Line 11:  Via: 1.1 ics_server.provo.novell.com (iChain 2.2.214d)
          HTTP: Line 12:  
          HTTP: 


  3. Nfuse server sends a HTTP redirect back to iChain for the location of the ICA file
    - - - - - - - - - - - - - - - - - - - - Frame 3 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","     3","0.004.768    ","[147.2.16.112]  ","[151.155.164.200] ","  506 ","HTTP"," R Port=2315 HTML Data"
    DLC: Ethertype=0800, size=506 bytes
    IP:  D=[147.2.16.112] S=[151.155.164.200] LEN=472 ID=45206
    TCP: D=2315 S=80     ACK=4200105592 SEQ=376883539 LEN=452 WIN=63569
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  HTTP/1.1 302 Object moved
          HTTP: Line  2:  Server: Microsoft-IIS/5.0
          HTTP: Line  3:  Date: Wed, 21 Jan 2004 22:49:23 GMT
          HTTP: Line  4:  X-Powered-By: ASP.NET
          HTTP: Line  5:  Location: /Citrix/NFuse17/launch.asp?NFuse_UID=56963&NFuse_A
          HTTP:           pplication=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad&N
          HTTP:           Fuse_MIMEExtension=.ica
          HTTP: Line  6:  Content-Length: 121
          HTTP: Line  7:  Content-Type: text/html
          HTTP: Line  8:  Cache-control: private
          HTTP: Line  9:  
          HTTP: Line 10:  <head><title>Object moved</title></head>
          HTTP: Line 11:  <body><h1>Object Moved</h1>This object may be found <a HREF=
          HTTP:           "">here</a>.</body>
          HTTP:  


  4. iChain transmits the HTTP redirect back to the ICA client pointing to the location of the ICA file
    - - - - - - - - - - - - - - - - - - - - Frame 4 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","     4","0.001.629    ","[147.2.16.199]  ","[147.2.16.115]  ","  630 ","HTTP"," R Port=1842 HTML Data"
    DLC: Ethertype=0800, size=630 bytes
    IP:  D=[147.2.16.199] S=[147.2.16.115] LEN=596 ID=57940
    TCP: D=1842 S=80     ACK=1601758544 SEQ=2644409152 LEN=576 WIN=11064
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  HTTP/1.1 302 Object moved
          HTTP: Line  2:  Server: Microsoft-IIS/5.0
          HTTP: Line  3:  Date: Wed, 21 Jan 2004 22:49:23 GMT
          HTTP: Line  4:  X-Powered-By: ASP.NET
          HTTP: Line  5:  Location: /Citrix/NFuse17/launch.asp?NFuse_UID=56963&NFuse_A
          HTTP:           pplication=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad&N
          HTTP:           Fuse_MIMEExtension=.ica
          HTTP: Line  6:  Cache-Control: private
          HTTP: Line  7:  Content-Type: text/html
          HTTP: Line  8:  Content-Length: 121
          HTTP: Line  9:  Cache-Control: no-store
          HTTP: Line 10:  Cache-Control: no-cache
          HTTP: Line 11:  Pragma: no-cache
          HTTP: Line 12:  Via: 1.1 ics_server.provo.novell.com (iChain 2.2.214d)
          HTTP: Line 13:  
          HTTP: Line 14:  <head><title>Object moved</title></head>
          HTTP: Line 15:  <body><h1>Object Moved</h1>This object may be found <a HREF=
          HTTP:           "">here</a>.</body>
          HTTP: 


  5. ICA client generates the request to iChain to get the ICA file. Again, this request is sent to the Nfuse accelerator on iChain.
    - - - - - - - - - - - - - - - - - - - - Frame 5 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","     5","0.002.396    ","[147.2.16.115]  ","[147.2.16.199]  "," 1005 ","HTTP"," C Port=1843 
    GET /Citrix/NFuse17/launch.asp?NFuse_UID=56963&NFuse_Application=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad&NFuse_MIMEExtension=.ic..."
    DLC: Ethertype=0800, size=1005 bytes
    IP:  D=[147.2.16.115] S=[147.2.16.199] LEN=971 ID=60812
    TCP: D=80 S=1843     ACK=543276904 SEQ=1601827466 LEN=951 WIN=64512
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  GET /Citrix/NFuse17/launch.asp?NFuse_UID=56963&NFuse_Applica
          HTTP:           tion=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad&NFuse_M
          HTTP:           IMEExtension=.ica HTTP/1.1
          HTTP: Line  2:  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
          HTTP:            application/vnd.ms-powerpoint, application/vnd.ms-excel, ap
          HTTP:           plication/msword, application/x-shockwave-flash, */*
          HTTP: Line  3:  Referer: http://nfuse.novell.com/Citrix/NFuse17/appli
          HTTP:           st.asp?NFuse_currentFolder=
          HTTP: Line  4:  Accept-Language: en-us
          HTTP: Line  5:  Accept-Encoding: gzip, deflate
          HTTP: Line  6:  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.
          HTTP:           0)
          HTTP: Line  7:  Host: nfuse.novell.com
          HTTP: Line  8:  Connection: Keep-Alive
          HTTP: Line  9:  Cookie: icaClientCode=1; icaObjectCode=1; icaBrowserCode=1;
          HTTP:           icaScreenResolution=1280x1024; NFuseMode=NFuse%5FCurrentFold
          HTTP:           er=&NFuse%5FWindowType=seamless; NFuseUseSavedFolder=On; NFu
          HTTP:           seLogin=NFuse%5FLogonMode=Explicit; novell_language=en-us; i
          HTTP:           sFScommandSup=1; IPCZQX02f7d8ed19=54ddf24d0ce6c75faa33dd1c00
          HTTP:           188103fdf175f8; ASPSESSIONIDSSSRSAAB=GLOHJPPBJNJHNGNGOGBJOPA
          HTTP:           F
          HTTP: Line 10:  
          HTTP: 


  6. iChain forwards ICA client request to Nfuse server to get the ICA file
    - - - - - - - - - - - - - - - - - - - - Frame 6 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","     6","0.001.501    ","[151.155.164.200] ","[147.2.16.112]  "," 1038 ","HTTP"," C Port=2315 
    GET /Citrix/NFuse17/launch.asp?NFuse_UID=56963&NFuse_Application=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad&NFuse_MIMEExtension=.ic..."
    DLC: Ethertype=0800, size=1038 bytes
    IP:  D=[151.155.164.200] S=[147.2.16.112] LEN=1004 ID=58452
    TCP: D=80 S=2315     ACK=376883991 SEQ=4200105592 LEN=984 WIN=65535
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  GET /Citrix/NFuse17/launch.asp?NFuse_UID=56963&NFuse_Applica
          HTTP:           tion=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad&NFuse_M
          HTTP:           IMEExtension=.ica HTTP/1.1
          HTTP: Line  2:  Connection: keep-alive, TE
          HTTP: Line  3:  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
          HTTP:            application/vnd.ms-powerpoint, application/vnd.ms-excel, ap
          HTTP:           plication/msword, application/x-shockwave-flash, */*
          HTTP: Line  4:  Referer: http://nfuse.novell.com/Citrix/NFuse17/appli
          HTTP:           st.asp?NFuse_currentFolder=
          HTTP: Line  5:  Accept-Language: en-us
          HTTP: Line  6:  Accept-Encoding: gzip, deflate
          HTTP: Line  7:  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.
          HTTP:           0)
          HTTP: Line  8:  Host: nfuse.novell.com
          HTTP: Line  9:  Cookie: icaClientCode=1; icaObjectCode=1; icaBrowserCode=1;
          HTTP:           icaScreenResolution=1280x1024; NFuseMode=NFuse%5FCurrentFold
          HTTP:           er=&NFuse%5FWindowType=seamless; NFuseUseSavedFolder=On; NFu
          HTTP:           seLogin=NFuse%5FLogonMode=Explicit; novell_language=en-us; i
          HTTP:           sFScommandSup=1; ASPSESSIONIDSSSRSAAB=GLOHJPPBJNJHNGNGOGBJOP
          HTTP:           AF
          HTTP: Line 10:  TE: chunked, identity, deflate
          HTTP: Line 11:  Via: 1.1 ics_server.provo.novell.com (iChain 2.2.214d)
          HTTP: Line 12:  
          HTTP:  


  7. Nfuse server sends back the response, that includes the ICA file contents. Note that iChain, if formfill profile is configured correctly, recognises that the ICA data needs to processed and rewritten. For more information on what needs to be rewritten, check the iChain 2.3 documentation.
    - - - - - - - - - - - - - - - - - - - - Frame 7 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","     7","0.060.619    ","[147.2.16.112]  ","[151.155.164.200] "," 1220 ","HTTP"," R Port=2315 HTML Data"
    DLC: Ethertype=0800, size=1220 bytes
    IP:  D=[147.2.16.112] S=[151.155.164.200] LEN=1186 ID=45241
    TCP: D=2315 S=80     ACK=4200106576 SEQ=376883991 LEN=1166 WIN=64512
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  HTTP/1.1 200 OK
          HTTP: Line  2:  Server: Microsoft-IIS/5.0
          HTTP: Line  3:  Date: Wed, 21 Jan 2004 22:49:23 GMT
          HTTP: Line  4:  X-Powered-By: ASP.NET
          HTTP: Line  5:  Content-Length: 942
          HTTP: Line  6:  Content-Type: application/x-ica
          HTTP: Line  7:  Expires: Thu, 15 Jan 2004 00:09:23 GMT
          HTTP: Line  8:  Cache-control: private
          HTTP: Line  9:  
          HTTP: Line 10:  
          HTTP: Line 11:  
          HTTP: Line 12:  
          HTTP: Line 13:  
          HTTP: Line 14:  
          HTTP: Line 15:  [Encoding]
          HTTP: Line 16:  InputEncoding=ISO8859_1
          HTTP: Line 17:  
          HTTP: Line 18:  
          HTTP: Line 19:  
          HTTP: Line 20:  
          HTTP: Line 21:  
          HTTP: Line 22:  
          HTTP: Line 23:  
          HTTP: Line 24:  
          HTTP: Line 25:  [WFClient]
          HTTP: Line 26:  Version=2
          HTTP: Line 27:  ClientName=ichai-administ-mxjln
          HTTP: Line 28:  
          HTTP: Line 29:  RemoveICAFile=yes
          HTTP: Line 30:  
          HTTP: Line 31:  
          HTTP: Line 32:  [ApplicationServers]
          HTTP: Line 33:  Wordpad=
          HTTP: Line 34:  
          HTTP: Line 35:  [Wordpad]
          HTTP: Line 36:  Address=151.155.164.200:1494
          HTTP: Line 37:  InitialProgram=#Wordpad
          HTTP: Line 38:  LongCommandLine=""
          HTTP: Line 39:  DesiredColor=2
          HTTP: Line 40:  TransportDriver=TCP/IP
          HTTP: Line 41:  WinStationDriver=ICA 3.0
          HTTP: Line 42:  
          HTTP: Line 43:  
          HTTP: Line 44:  
          HTTP: Line 45:  AutologonAllowed=ON
          HTTP: Line 46:  Username=administrator
          HTTP: Line 47:  Domain=\50F509C390716E7A
          HTTP: Line 48:  ClearPassword=60219357DD642A
          HTTP: Line 49:  
          HTTP: Line 50:  
          HTTP: Line 51:  ClientAudio=On
          HTTP: Line 52:  
          HTTP: Line 53:  DesiredHRES=640
          HTTP: Line 54:  DesiredVRES=480
          HTTP: Line 55:  TWIMode=On
          HTTP: Line 56:  
          HTTP: Line 57:  
          HTTP: Line 58:  
          HTTP: Line 59:  
          HTTP: Line 60:  SessionsharingKey=2-basic-basic-ichainfarm-administrator-iCh
          HTTP:           ainFarm
          HTTP: Line 61:  
          HTTP: Line 62:  [EncRC5-0]
          HTTP: Line 63:  DriverNameWin16=pdc0w.dll
          HTTP: Line 64:  DriverNameWin32=pdc0n.dll
          HTTP: Line 65:  
          HTTP: Line 66:  [EncRC5-40]
          HTTP: Line 67:  DriverNameWin16=pdc40w.dll
          HTTP: Line 68:  DriverNameWin32=pdc40n.dll
          HTTP: Line 69:  
          HTTP: Line 70:  [EncRC5-56]
          HTTP: Line 71:  DriverNameWin16=pdc56w.dll
          HTTP: Line 72:  DriverNameWin32=pdc56n.dll
          HTTP: Line 73:  
          HTTP: Line 74:  [EncRC5-128]
          HTTP: Line 75:  DriverNameWin16=pdc128w.dll
          HTTP: Line 76:  DriverNameWin32=pdc128n.dll
          HTTP: Line 77:  
          HTTP: Line 78:  [Compress]
          HTTP: Line 79:  DriverNameWin16=pdcompw.dll
          HTTP: Line 80:  DriverNameWin32=pdcompn.dll
          HTTP:  


  8. iChain, once the formfill filter has modified the ICA file sent back by the Nfuse server, transmits the 'new' ICA file back to the ICA client. Note the [WFClient] and [WordPad] application sections have been rewritten with the IP address and DNS name of the iChain accelerators.
    - - - - - - - - - - - - - - - - - - - - Frame 8 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","     8","0.003.801    ","[147.2.16.199]  ","[147.2.16.115]  "," 1038 ","HTTP"," R Port=1843 HTML Data"
    DLC: Ethertype=0800, size=1038 bytes
    IP:  D=[147.2.16.199] S=[147.2.16.115] LEN=1004 ID=58964
    TCP: D=1843 S=80     ACK=1601828417 SEQ=543276904 LEN=984 WIN=8112
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  HTTP/1.1 200 OK
          HTTP: Line  2:  Server: Microsoft-IIS/5.0
          HTTP: Line  3:  Date: Wed, 21 Jan 2004 22:49:23 GMT
          HTTP: Line  4:  X-Powered-By: ASP.NET
          HTTP: Line  5:  Cache-Control: private
          HTTP: Line  6:  Content-Type: application/x-ica
          HTTP: Line  7:  Content-Length: 1104
          HTTP: Line  8:  Via: 1.1 ics_server.provo.novell.com (iChain 2.2.214d)
          HTTP: Line  9:  
          HTTP: Line 10:  
          HTTP: Line 11:  
          HTTP: Line 12:  
          HTTP: Line 13:  
          HTTP: Line 14:  
          HTTP: Line 15:  [Encoding]
          HTTP: Line 16:  InputEncoding=ISO8859_1
          HTTP: Line 17:  
          HTTP: Line 18:  
          HTTP: Line 19:  
          HTTP: Line 20:  
          HTTP: Line 21:  
          HTTP: Line 22:  
          HTTP: Line 23:  
          HTTP: Line 24:  
          HTTP: Line 25:  [WFClient]
          HTTP: Line 26:  ProxyHost=mframe.novell.com:80
          HTTP: Line 27:  ProxyType=Secure
          HTTP: Line 28:  ProxyUsername=5487e3deece6e46bfe39c82d
          HTTP: Line 29:  ProxyPassword=150c40ce5efbc3b5d562e70377c38ad500aa9922
          HTTP: Line 30:  Version=2
          HTTP: Line 31:  ClientName=ichai-administ-mxjln
          HTTP: Line 32:  
          HTTP: Line 33:  RemoveICAFile=yes
          HTTP: Line 34:  
          HTTP: Line 35:  
          HTTP: Line 36:  [ApplicationServers]
          HTTP: Line 37:  Wordpad=
          HTTP: Line 38:  
          HTTP: Line 39:  [Wordpad]
          HTTP: Line 40:  Address=mframe.novell.com:1494
          HTTP: Line 41:  InitialProgram=#Wordpad
          HTTP: Line 42:  LongCommandLine=""
          HTTP: Line 43:  DesiredColor=2
          HTTP: Line 44:  TransportDriver=TCP/IP
          HTTP: Line 45:  WinStationDriver=ICA 3.0
          HTTP: Line 46:  
          HTTP: Line 47:  
          HTTP: Line 48:  
          HTTP: Line 49:  AutologonAllowed=ON
          HTTP: Line 50:  Username=administrator
          HTTP: Line 51:  Domain=\50F509C390716E7A
          HTTP: Line 52:  ClearPassword=60219357DD642A
          HTTP: Line 53:  
          HTTP: Line 54:  
          HTTP: Line 55:  ClientAudio=On
          HTTP: Line 56:  
          HTTP: Line 57:  DesiredHRES=640
          HTTP: Line 58:  DesiredVRES=480
          HTTP: Line 59:  TWIMode=On
          HTTP: Line 60:  
          HTTP: Line 61:  
          HTTP: Line 62:  
          HTTP: Line 63:  
          HTTP: Line 64:  SessionsharingKey=2-basic-basic-ichainfarm-administrator-iCh
          HTTP:           ainF
          HTTP:  


  9. Continuation of Frame 8 -- the rewritten ICA file could not fit into one TCP segment and therefor required another frame.
    - - - - - - - - - - - - - - - - - - - - Frame 9 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","     9","0.000.233    ","[147.2.16.199]  ","[147.2.16.115]  ","  415 ","HTTP"," R Port=1843 HTML Data"
    DLC: Ethertype=0800, size=415 bytes
    IP:  D=[147.2.16.199] S=[147.2.16.115] LEN=381 ID=59220
    TCP: D=1843 S=80     ACK=1601828417 SEQ=543277888 LEN=361 WIN=8112
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  arm
          HTTP: Line  2:  
          HTTP: Line  3:  [EncRC5-0]
          HTTP: Line  4:  DriverNameWin16=pdc0w.dll
          HTTP: Line  5:  DriverNameWin32=pdc0n.dll
          HTTP: Line  6:  
          HTTP: Line  7:  [EncRC5-40]
          HTTP: Line  8:  DriverNameWin16=pdc40w.dll
          HTTP: Line  9:  DriverNameWin32=pdc40n.dll
          HTTP: Line 10:  
          HTTP: Line 11:  [EncRC5-56]
          HTTP: Line 12:  DriverNameWin16=pdc56w.dll
          HTTP: Line 13:  DriverNameWin32=pdc56n.dll
          HTTP: Line 14:  
          HTTP: Line 15:  [EncRC5-128]
          HTTP: Line 16:  DriverNameWin16=pdc128w.dll
          HTTP: Line 17:  DriverNameWin32=pdc128n.dll
          HTTP: Line 18:  
          HTTP: Line 19:  [Compress]
          HTTP: Line 20:  DriverNameWin16=pdcompw.dll
          HTTP: Line 21:  DriverNameWin32=pdcompn.dll
          HTTP:  


  10. The ICA client, in response to the ICA file returned in the previous step, generates a CONNECT request. The CONNECT request, used to setup the tunnel between the iChain proxy and back end MetaFrame server, is sent to the metaframe accelerator on iChain and NOT the Nfuse server we have been communicating with so far. Note that the HTTP request goes to TCP PORT 80 on the iChain box but that the tunnel requested is for TCP port 1494 (Citrix MetaFrame server listening port).
    - - - - - - - - - - - - - - - - - - - - Frame 10 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    10","6.566.079    ","[147.2.16.113]  ","[147.2.16.199]  ","  133 ","HTTP"," 
    C Port=1845 CONNECT 147.2.16.113:1494 HTTP/1.0"
    DLC: Ethertype=0800, size=133 bytes
    IP:  D=[147.2.16.113] S=[147.2.16.199] LEN=99 ID=60821
    TCP: D=80 S=1845     ACK=3914937487 SEQ=1605255586 LEN=79 WIN=64512
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  CONNECT 147.2.16.113:1494 HTTP/1.0
          HTTP: Line  2:  Host: 147.2.16.113:1494
          HTTP: Line  3:  Accept:*/*
          HTTP: Line  4:  
          HTTP: 
     


  11. The iChain Proxy, in order to setup the tunnel to the back end MetaFrame server, requests that the ICA client authenticate first. This is done by sending a 407 Proxy-AUthenticate request to the ICA client.
    - - - - - - - - - - - - - - - - - - - - Frame 11 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    11","0.001.542    ","[147.2.16.199]  ","[147.2.16.113]  "," 1038 ","HTTP"," R Port=1845 HTML Data"
    DLC: Ethertype=0800, size=1038 bytes
    IP:  D=[147.2.16.199] S=[147.2.16.113] LEN=1004 ID=62548
    TCP: D=1845 S=80     ACK=1605255665 SEQ=3914937487 LEN=984 WIN=6065
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  HTTP/1.0 407 Proxy Authentication Required
          HTTP: Line  2:  Content-Type: text/html; charset=utf-8
          HTTP: Line  3:  Content-Length: 1527
          HTTP: Line  4:  Pragma: no-cache
          HTTP: Line  5:  Proxy-Authenticate: Basic realm="iChain-ICA"
          HTTP: Line  6:  
          HTTP: 
          HTTP: [812 bytes of Graphics Data]
          HTTP: 


  12. Continuation of Frame 11, sent by the iChain server to the ICA client, because the response was too large for one TCP segment.
    - - - - - - - - - - - - - - - - - - - - Frame 12 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    12","0.000.208    ","[147.2.16.199]  ","[147.2.16.113]  ","  769 ","HTTP"," R Port=1845 HTML Data"
    DLC: Ethertype=0800, size=769 bytes
    IP:  D=[147.2.16.199] S=[147.2.16.113] LEN=735 ID=62804
    TCP: D=1845 S=80 FIN ACK=1605255665 SEQ=3914938471 LEN=715 WIN=6065
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  black" face="Comic Sans MS">Status</font></b>
          HTTP: Line  2:      <font color="#ff0033" face="Comic Sans MS"><b>: </b></fo
          HTTP:           nt><font color="black" face="Comic Sans MS">407 Proxy Authen
          HTTP:           tication Required </font>
          HTTP: Line  3:      </p>
          HTTP: Line  4:      <p align="left">
          HTTP: Line  5:      <font color="black" face="Comic Sans MS"><b>Description<
          HTTP:           /b></font><0909>
          HTTP: Line  6:      <font color="#ff0033" face="Comic Sans MS"><b>: </b></fo
          HTTP:           nt><font color="black" face="Comic Sans MS">Access to this p
          HTTP:           age is restricted because of access control policies.</font>
          HTTP:           
          HTTP: Line  7:      </p>
          HTTP: Line  8:      <br>
          HTTP: Line  9:      <br>
          HTTP: Line 10:      </font></td>
          HTTP: Line 11:    </tr>
          HTTP: Line 12:    <tr>
          HTTP: Line 13:      <td width="444" height="10" align="center"><img height="
          HTTP:           8" width="445" src="ICHAINErrors/alertbar.gif"></td>
          HTTP: Line 14:    </tr>
          HTTP: Line 15:  </table>
          HTTP: Line 16:  </center></div>
          HTTP: Line 17:  </body>
          HTTP: Line 18:  </html>
          HTTP:  


  13. The ICA client retransmits the CONNECT request to the MetaFrame accelerator on iChain but this time includes the One Time Password (OTP) that iChain sent back in the modified ICA file. This password, or secret, is valid for 60 seconds by default and is injected as part of the Proxy-AUthorization header.
    - - - - - - - - - - - - - - - - - - - - Frame 13 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    13","0.008.158    ","[147.2.16.113]  ","[147.2.16.199]  ","  274 ","HTTP"," 
    C Port=1846 CONNECT 147.2.16.113:1494 HTTP/1.0"
    DLC: Ethertype=0800, size=274 bytes
    IP:  D=[147.2.16.113] S=[147.2.16.199] LEN=240 ID=60825
    TCP: D=80 S=1846     ACK=4273213228 SEQ=1605326461 LEN=220 WIN=64512
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  CONNECT 147.2.16.113:1494 HTTP/1.0
          HTTP: Line  2:  Host: 147.2.16.113:1494
          HTTP: Line  3:  Accept:*/*
          HTTP: Line  4:  Connection: Keep-Alive
          HTTP: Line  5:  Proxy-Authorization: Basic NTQ4N2UzZGVlY2U2ZTQ2YmZlMzljODJkO
          HTTP:           jE1MGM0MGNlNWVmYmMzYjVkNTYyZTcwMzc3YzM4YWQ1MDBhYTk5MjI=
          HTTP: Line  6:  
          HTTP: 


  14. After validating the CONNECT credentials in the previous frame, the iChain proxy must establish the tunnel to the back end Metaframe server on TCP port 1494. This invloves first establishing the TCP connection and doing the standard TCP three way handshake. Frame 14 is the first part of that handshake i.e. The TCP SYN request.
    - - - - - - - - - - - - - - - - - - - - Frame 14 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    14","0.001.142    ","[151.155.164.200] ","[147.2.16.112]  ","   62 ","TCP"," 
    D=1494 S=2426 SYN SEQ=3806428749 LEN=0 WIN=6144"
    DLC: Ethertype=0800, size=62 bytes
    IP:  D=[151.155.164.200] S=[147.2.16.112] LEN=28 ID=64340
    TCP: D=1494 S=2426 SYN SEQ=3806428749 LEN=0 WIN=6144


  15. The back end MetaFrame server responds to the SYN request from iChain with an ACK and a SYN request of it's own. This is the second part of the three way handshake to establish the TCP connection to 1494 on the back end MetaFrame server.
    - - - - - - - - - - - - - - - - - - - - Frame 15 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    15","0.001.087    ","[147.2.16.112]  ","[151.155.164.200] ","   62 ","TCP"," 
    D=2426 S=1494 SYN ACK=3806428750 SEQ=485247106 LEN=0 WIN=64512"
    DLC: Ethertype=0800, size=62 bytes
    IP:  D=[147.2.16.112] S=[151.155.164.200] LEN=28 ID=45262
    TCP: D=2426 S=1494 SYN ACK=3806428750 SEQ=485247106 LEN=0 WIN=64512


  16. The iChain proxy server finishes off the three way TCP handshake with the back end MetaFrame server.
    - - - - - - - - - - - - - - - - - - - - Frame 16 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    16","0.000.196    ","[151.155.164.200] ","[147.2.16.112]  ","   60 ","TCP"," 
    D=1494 S=2426     ACK=485247107 WIN=6144"
    DLC: Ethertype=0800, size=60 bytes
    IP:  D=[151.155.164.200] S=[147.2.16.112] LEN=20 ID=64852
    TCP: D=1494 S=2426     ACK=485247107 WIN=6144


  17. Once we know that the back end MetaFrame server is willing to open the tunneled connection to TCP 1494 with iChain, the iChain metaframe accelerator sends a success response to the ICA client indicating that the tunnel has been established. This is an indication to the client that the ICA client it starts transmitting will be tunneled through the iChain metaframe accelerator to the back end MetaFrame server.
    - - - - - - - - - - - - - - - - - - - - Frame 17 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    17","0.000.161    ","[147.2.16.199]  ","[147.2.16.113]  ","   93 ","HTTP"," R Port=1846 HTML Data"
    DLC: Ethertype=0800, size=93 bytes
    IP:  D=[147.2.16.199] S=[147.2.16.113] LEN=59 ID=64596
    TCP: D=1846 S=80     ACK=1605326681 SEQ=4273213228 LEN=39 WIN=5924
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: Line  1:  HTTP/1.0 200 Connection established
          HTTP: Line  2:  
          HTTP:  


  18. The ICA client ACKs the 'connection established' response from the previous frame. This is TCP doing it's job and an indication that the ICA client received the response.
    - - - - - - - - - - - - - - - - - - - - Frame 18 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    18","0.166.327    ","[147.2.16.113]  ","[147.2.16.199]  ","   60 ","TCP"," D=80 S=1846     
    ACK=4273213267 WIN=64473"
    DLC: Ethertype=0800, size=60 bytes
    IP:  D=[147.2.16.113] S=[147.2.16.199] LEN=20 ID=60826
    TCP: D=80 S=1846     ACK=4273213267 WIN=64473


  19. The ICA client starts transmitting the ICA data to the back end MetaFrame server. The iChain MetFrame accelerator will take this incoming data and simply tunnel it to the back end without doing any additional processing.
    - - - - - - - - - - - - - - - - - - - - Frame 19 - - - - - - - - - - - - - - - - - - - -
    \"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source            \",\"Bytes\",\"Protocol  \",\"Summary\"
    "      ","    19","0.000.177    ","[147.2.16.199]  ","[147.2.16.113]  ","   60 ","HTTP"," R Port=1846 Graphics Data"
    DLC: Ethertype=0800, size=60 bytes
    IP:  D=[147.2.16.199] S=[147.2.16.113] LEN=26 ID=597
    TCP: D=1846 S=80     ACK=1605326681 SEQ=4273213267 LEN=6 WIN=5924
    HTTP: ----- Hypertext Transfer Protocol -----
          HTTP: 
          HTTP: [6 bytes of Graphics Data]
          HTTP: 
     


  20. All subsequent data will flow in the same manner, tunneled through iChain's metaframe accelerator to the back end.

Troubleshooting Tools

  1. Proxy Console -> Display Services screen: This screen shows what URLs, IP addressesd and TCP ports will be rewritten for all accelerators on the iChain server. Both the Nfuse and MetaFrame accelerators should be checked to make sure that all references to 'internal' hostnames or IP addresses be rewritten correctly.


  2. SSO.NLM Debug Screen or Logger screen: When running the SSO.NLM with the /d /l options, some very useful debug information is written to both the SSO and Loggers screens. Analysing these screens will confirm that the various formfill URLs have been hit, will give details on what the formfill module has rewritten (ICA file contents), and log any errors that may have been returned.



  3. Viewing the saved ICA file: Once the list of available applications are displayed on the ICA client, one can right click a specific application and select the 'save target file' option to view the ICA file rewritten by iChain. The [WFClient] and [] sections must be analysed to make sure that the correct information has been included e.g. ProxyUserName, ProxyPassword, correct MetaFrame accelerator IP address.



  4. LAN Traces: The LAN trace is useful to confirm that communication has been successful with iChain and the back end Citrix servers (Nfuse and MetaFrame). For reference purposes, the appendix section of this document includes a detailed description, frame by frame, of the communication that takes place when an ICA client tries to access a Citrix application. The key interfaces to check out are:

    1. iChain to LDAP if SSO to Citrix server


    2. iChain to browser communication

      1. Verify rewrite of ICA page
      2. Verify the CONNECT sent to Metaframe Proxy
      3. Verify the 407 Proxy Authentication required sent back
      4. Realm is "iChain-ICA"
      5. Verify Connection established

    3. iChain to Web server
      1. Application info sent back correctly
      2. Cookies exist
      3. No Errors from back end servers


    Troubleshooting Tips


    1. Single Sign On to Nfuse login page fails:

      This is most likely an issue with your formfill page and general formfill troubleshooting steps apply. To get more details about the login page and the form attributes required to authenticate, you can use the BuildFormFillScript.jsp utility available at
      http://www.novell.com/coolsolutions/icmag/features/tips/t_ichain_form_fill_script_generator_ic.html.

      Once you define the right form attributes required to login, you must make sure that the URL defined is actually hit by Formfill on iChain. You can use the SSO /d /l option and make sure that the URL is displayed on the debug output, to confirm that it is being processed.


    2. Make sure that the Nfuse server accelerator (or secure Web server storing the manually created ICA file) has authentication enabled.

      If no authentication is enabled for the Nfuse server, or Web server hosting the ICA file, then no secret can be sent back to the ICA client so that it can authenticate to the MetaFrame accelerator. For Formfill to operate successfully, it requires users to be authenticated to iChain.


    3. Make sure that the MetaFrame accelerator is setup in tunneled mode and that no authentication is required for this accelerator.

      To do this, make sure that the "set accelerator (metaframe_accel_name> tunnelauthforica=Yes" command has been executed.

      Failure to set this correctly will result in the CONNECT request from the ICA client to the MetaFrame accelerator to fail and therefor no data will be exchanged with the back end MetaFrame server.


    4. Make sure that the ICA client is installed on the browser workstation

      The browser, when it detects that an ICA file is being sent back, will try and launch the ICA client plugin from within the browser. If there is no ICA client installed, it cannot do this and ICA communication will fail.

      Note: The Citrix java client relies on applet information being returned by the Citrix WebInterface server to establish a connection to the MetaFrame servers. The format of the data returned in this response is such that iChain cannot rewrite the required information (ProxyUsername, ProxyPassword, ProxyHost and ProxyType). For this reason, the iChain solution will not work with the Citrix java client.


    5. Check if the ICA browser client is connecting through a forward proxy

      ICA client ignore browser proxy settings when going through iChain (due to the ProxyType=Secure ICA file entry) and therefor will try and contact the iChain metaframe accelerator IP address directly. If the ICA client is on a private network with no access to the iChain server IP addresses, the communication will fail.


    6. Make sure that the FormFill script uses the exact same syntax as the documentation

      The FormFill tags are case sensitive and failure to abide by the correct case may result in problems. An example of this is the tag. If you define the tag as (lower case F), the request to establish the tunnel with the Metaframe accelerator will fail with the I/O connection error.


    7. Confirm Load balanced MetaFrame servers in a farm are specified multiple times

      When load balancing multiple MetFrame servers in a farm, the IP addresses of each server must be defined in both the Web server list for the metaframe accelerator and the section of the formfill page. Failure to do this will result in load balancing between Citrix servers to fail.


    8. Check if L4 switch front ending the Citrix accelerators

      If an L4 switch is front ending the Citrix metaframe accelerators, disable the 'keep-alive' option for the VIP TCP ports 80 and 443.

    Appendix with Formfill Script used in Trace Analysis Section

    FormFill Policy:

    <!-start of secure tunnel to MetaFrame through NFuse -->
    <urlPolicy>
    <name>NFuseTest</name>
    <url>nfuse.novell.com/Citrix/NFuse17/launch.asp*</url>
    <actions>
     <icaFill>
          <icaOriginal> 
            [WFClient]
          </icaOriginal>
          <icaReplace>
            [WFClient]
            ProxyHost=mframe.novell.com:80
            ICHAIN-TOKEN
          </icaReplace>
          <icaMetaPrivateAddress>
              Address=151.155.164.200
          </icaMetaPrivateAddress>
          <icaMetaPublicAddress>
              Address=mframe.novell.com
          </icaMetaPublicAddress>
      </icaFill>
    </actions> 
    </urlPolicy>
    <!- end of secure tunnel to MetaFrame through NFuse -->

    Output of load -d -l sso with successful access to metaframe application:

    Loading module SSO.NLM
      iChain Single Sign-On Formfill   [DEBUG BUILD]
      Version 2.10    March 14, 2004
      Copyright (C) 2001-2002 Novell, Inc. All Rights Reserved
      SSO.NLM will run on processor 0 only
      Uni-Processor NLM
    Module SSO.NLM load status OK
    4FILT01: This filter prints info from the request.
    Novell Audit Platform Agent: Failing primary connection for application iChain\.
    ssoread: Port No = 389
    ssoread: Servername=147.2.35.121
    ssoread: Username=cn=admin,o=novell
    ssoread: Password=secret
    ICA RWList 0A440344 for rule NFuseTest
    4FILT01: Rules(length = 1332) have been refreshed!
    4FILT01: Using SecretStore!
    4FILT01: Must use LDAP over SSL for Novell SecretStore Disabling SecretStore
    4FILT01: Ready for Request
    1AFILT01: main: This filter prints info from the server request.
    3bfilt06: In main()
    pMyState->url: nfuse.novell.com/Citrix/NFuse17/launch.asp?NFuse_Applicati
    on=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad
    ICA formfill
    Cannot match one-time token.
    pMyState->url: nfuse.novell.com/Citrix/NFuse17/launch.asp?NFuse_Applicati
    on=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad
    ICA formfill
    Cannot match one-time token.
    pMyState->url: nfuse.novell.com/Citrix/NFuse17/launch.asp?NFuse_UID=35536
    &NFuse_Application=Wordpad&NFuse_AppFriendlyNameURLEncoded=Wordpad&NFuse_MIMEExtension=.ica
    ICA formfill
    cookie = 173508c8c6e5b3e2a66a68a990ee9c548fa3d85b5461fc3f943dbce3ee5b8d55
    cookie = [WFClient]
    ProxyHost=mframe.novell.com:80
    ProxyType=Secure
    ProxyUsername=173508c8c6e5b3e2a66a68a9
    ProxyPassword=90ee9c548fa3d85b5461fc3f943dbce3ee5b8d55
    Before getReplacePair
    Replace token [WFClient] with [WFClient]
    ProxyHost=mframe.novell.com:80
    ProxyType=Secure
    ProxyUsername=173508c8c6e5b3e2a66a68a9
    ProxyPassword=90ee9c548fa3d85b5461fc3f943dbce3ee5b8d55
    Replace Address=151.155.164.200 with Address=mframe.novell.com
    *** ICA file =
    
    
    
    
    [Encoding]
    InputEncoding=ISO8859_1
    
    
    
    
    
    
    
    
    [WFClient]
    ProxyHost=mframe.novell.com:80
    ProxyType=Secure
    ProxyUsername=173508c8c6e5b3e2a66a68a9
    ProxyPassword=90ee9c548fa3d85b5461fc3f943dbce3ee5b8d55
    Version=2
    ClientName=ichai-administ-mxjln
    RemoveICAFile=yes
    
    
    [ApplicationServers]
    Wordpad=
    
    [Wordpad]
    Address=mframe.novell.com:1494
    InitialProgram=#Wordpad
    LongCommandLine=""
    DesiredColor=2
    TransportDriver=TCP/IP
    WinStationDriver=ICA 3.0
    
    
    
    AutologonAllowed=ON
    Username=administrator
    Domain=\FE4D43842F2DC07C
    ClearPassword=0DE905D5448F5C
    
    
    ClientAudio=On
    
    DesiredHRES=640
    DesiredVRES=480
    TWIMode=On
    
    
    
    SessionsharingKey=2-basic-basic-ichainfarm-administrator-iChainFarm
    
    [EncRC5-0]
    DriverNameWin16=pdc0w.dll
    DriverNameWin32=pdc0n.dll
    
    [EncRC5-40]
    DriverNameWin16=pdc40w.dll
    DriverNameWin32=pdc40n.dll
    
    [EncRC5-56]
    DriverNameWin16=pdc56w.dll
    DriverNameWin32=pdc56n.dll
    
    [EncRC5-128]
    DriverNameWin16=pdc128w.dll
    DriverNameWin32=pdc128n.dll
    
    [Compress]
    DriverNameWin16=pdcompw.dll
    DriverNameWin32=pdcompn.dll
     ***

    Login page for Nfuse server (required for formfill SSO profile)

    <html>
    <head>
    <title>Citrix(R) NFuse(TM) Classic Login</title>
    <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
    <meta http-equiv="expires" content="0">
    <meta http-equiv="pragma" content="no-cache">
    <style type="text/css">
    <!--
    .loginEntries {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #000000; width: 200px}
    A.appLinks
    {
        FONT-SIZE: 8pt;
        FONT-WEIGHT: bold;
        TEXT-DECORATION: none
        COLOR: #000000
        FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;
    }
    A.appLinks:hover
    {
        COLOR: #CCCCCC
    }
    -->
    </style>
    <script LANGUAGE="JavaScript">
    <!--
    function clearForm(loginForm) {
        loginForm.user.value = "";
        loginForm.password.value = "";
        loginForm.domain.value = "";
        setDefaultFocus();
    }
    
    function focus_UPD(loginForm) {
        if (loginForm.LoginType) {
            for (i = 0; i < loginForm.LoginType.length; i++) {
                if (loginForm.LoginType[i].value == "Explicit") {
                    loginForm.LoginType[i].checked = true;
                }
            }
        }
    }
    
    function setFocus(loginForm) {
        if (loginForm.LoginType) {
            if (loginForm.LoginType.value == "Explicit") {
                if (!loginForm.user.disabled) {
                    loginForm.user.focus();
                }
            } else {
                for (i = 0; i < loginForm.LoginType.length; i++) {
                    if (loginForm.LoginType[i].checked) {
                        if (loginForm.LoginType[i].value == "Explicit") {
                            loginForm.user.focus();
                        } else {
                            document.all.login.focus();
                        }
                    }
                }
            }
        }
    }
    
    function setDefaultFocus() {
        var form = document.forms[0];
        if (form) {
            setFocus(form);
        }
    }
    //-->
    </script>
    
    </head>
    <body bgcolor="#CCCCCC" LINK="#000000" VLINK="#000000" ALINK="#000000" onLoad="setDefaultFocus()">
    <div align="center">
      <table width="100%" height="100%" border="0" cellspacing="0" cellpadding="0">
        <tr align="center" valign="middle">
          <td>
    	<table border="1" cellspacing="0" cellpadding="20" bordercolor="#000000" bgcolor="#FFFFFF">
    	  <tr>
    	    <td>
    	      <table border="0" cellspacing="0" cellpadding="10">
    		<tr>
    		  <td valign="top">
    		    <table border="0" cellspacing="0" cellpadding="10" bgcolor="#CCCCCC">
    		      <tr align="left" valign="middle">
    			<td> <img src="media/nfusehead.gif" width="214" height="73">
    			</td>
    		      </tr>
    		      <tr>
    			<td valign="middle" align="center">
    			  <table border="1" cellspacing="0" cellpadding="0" bordercolor="#000000">
    			    <tr>
    			      <td>
    				<table border="0" cellspacing="0" cellpadding="0" WIDTH="100%">
    				  <tr>
    				    <td colspan="2" background="media/greygrad.gif" bgcolor="#CCCCCC">
    				      <a class="appLinks" HREF="NFuseHelp.htm#Login" target="_blank"><img 
    					  SRC="media/help.gif" BORDER="0" align="right" vspace="1" hspace="1" alt="Help" 
    					  title="Help"></a>
    				      <img src="media/logintxt.gif" width="75" height="25" vspace="3" hspace="3">
    					  </td>
    				    </tr>
    				    <tr>
    				      <td>
    					<table width="286" border="0" cellspacing="0" cellpadding="3" bgcolor="#6699CC">
    					  <form method="POST" action="login.asp" name="NFuseForm">
    					  
    					  <input TYPE="HIDDEN" name="LoginType" value="Explicit">
    					     
    					  <tr>
    					    <td> </td>
    					    <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td>
    					    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Username</b></font></td>
    					  </tr>
    					  <tr>
    					    <td colspan="2"> </td>
    					    <td>
    					      <input type="text" name="user" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="256" >
    					    </td>
    					  </tr>
    					  <tr>
    					    <td> </td>
    					    <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td>
    					    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Password</b></font></td>
    					  </tr>
    					  <tr>
    					    <td colspan="2"> </td>
    					    <td>
    					      <input type="password" name="password" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="254" >
    					    </td>
    					  </tr>
    
    					  <tr>
    					    <td> </td>
    					    <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td>
    					    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Domain</b></font></td>
    					  </tr>
    					  <tr>
    					    <td colspan="2"> </td>
    					    <td>
    					      <input type="text" name="domain" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="256" >
    					    </td>
    					  </tr>
    
    					  <tr align="right" valign="middle">
    					    <td colspan="3">
    					      <input type="image"
    					      id="login"
    					      src="media/loginbtn.gif"
    					      width="80" height="20" alt="Log In" title="Log In" name="Log In" border="0" >
    					    </td>
    					  </tr>
    					  </form>
    					</table>
    				      </td>
    				    </tr>
    				  </table>
    				</td>
    			      </tr>
    			    </table>
    			  </td>
    			</tr>
    		      </table>
    		    </td>
    		    <td valign="top">
    		      <table>
    			<tr>
    			  <td>
    			    <table border="0" cellspacing="0" cellpadding="10" width="100%">
    			      <tr align="left" valign="middle" bgcolor="#6699CC">
    				<td> <font face="Verdana, Arial, Helvetica, sans-serif" size="3" color="#FFFFFF">
    				<b>Welcome to Citrix<font size='1'><sup>®</sup></font> 
    				MetaFrame<sup><font size='1'>™</font></sup></b></font>
    				</td>
    			      </tr>
    			      <tr align="left" valign="top">
    				<td>
    				  <p><font face="Verdana, Arial, Helvetica, sans-serif" size="4"><b><font size="3">Please log in
    				  </font></b></font></p>
    				  <ul>
    				    <li><font face="Verdana, Arial, Helvetica, sans-serif" size="2">To log in to the
    					 application portal, type your user name, password, and domain name in the boxes at left.
    				    <p></p>
    				    <li>Click the Log In button to log in.
    				  </ul>
    				  <p>If you do not know your login information, please contact your help desk or system administrator.</font></p>
    				</td>
    			      </tr>
    			    </table>
    			  </td>
    			</tr>
    			<tr>
    			  
    			  <td valign="top">
    			    <table border="0" cellspacing="0" cellpadding="10" width="100%">
    			      <tr align="left" valign="middle" bgcolor="#6699CC">
    				<td> <font face="Verdana, Arial, Helvetica, sans-serif" size="3" color="#FFFFFF">
    				  <b>
    				  Citrix<font size='1'><sup>®</sup></font> NFuse<sup><font size='1'>™</font></sup><i>Classic</i> Message Center
    				  </b>
    				  </font>
    				</td>
    			      </tr>
    			      <tr>
    				<td>
    				  <table border="0">
    				    <tr>
    				      <td>
    					<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
    					The NFuse Classic Message Center displays any informational or error messages that may occur.
    					</font>
    					<p></p>
    					
    				      </td>
    				    </tr>
    				    <tr>
    				      <td>
    
    <script language="vbscript" type="text/vbscript">
    <!--
    
    function hasIcaObjVal()
        dim obj
        Err.Clear
        On Error Resume Next
        hasIcaObjVal = 0
        set obj = CreateObject("Citrix.ICAClient")
        if (Err.number = 0) then
            hasIcaObjVal = 1
        else
            Err.Clear
            set obj = CreateObject("Wfica.WficaCtl.6")
            if (Err.number = 0) then
                hasIcaObjVal = 1
            else
                Err.Clear
                hasIcaObjVal = 0
            end if
        end if
        set obj = Nothing
    end function
    
    select case hasIcaObjVal()
        case 1
        case else
    
            popupContent = "<p><IMG SRC='media/info.gif' border='0'><font face='Verdana, Arial, 
    		Helvetica, sans-serif' size='2'>You do not have the Citrix ICA Client (ActiveX) for 32-bit Windows 
    		installed on your system. You must install the ICA Client to launch the applications.<p>Select 
    		the icon below to install the ICA Client."
            popupContent = popupContent & "<p><a href='/Citrix/ICAWEB/en/ica32/ica32t.exe'>
    		<IMG SRC='media/ica.jpg' alt='Citrix ICA Web Client for 32-bit Windows' border='0'>
    		</a> <a href='/Citrix/ICAWEB/en/ica32/ica32t.exe'>Citrix ICA Web Client for 
    		32-bit Windows</a></font>"
            document.write(popupContent)
    
    end select
    
    //-->
    </script>
    
    				      </td>
    				    </tr>
    				  </table>
    				  <br clear="all"><img src="media/citrix.gif" width="130" height="56" align="right">
    				</td>
    			      </tr>
    			    </table>
    			  </td>
    			</tr>
    		      </table>
    		    </td>
    		  </tr>
    		</table>
    	      </td>
    	    </tr>
    	  </table>
    	</td>
          </tr>
        </table>
    </div>
    </body>
    </html>


    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell