If the OnDemand Services Web server and Novell DeFrameTM terminal servers use private (internal) addresses, you need to make sure that your firewall's public (external) addresses map to these private addresses.
The best way to ensure that users are directed to the correct private address from a public address is to use one-to-one mappings to map one public address to one private address. If you want to use one-to-many mappings to map one public address to many private addresses, please be aware of the following:
Application Availability: When you map one public address to multiple terminal server private addresses, make sure that each terminal server contains the same set of applications so that the public address will always resolve to a terminal server that contains the requested application.
To illustrate why this is important, consider the following simplified scenario: An application is hosted on one terminal server only. When a user launches the application, the user's RDP or ICA client uses the public address assigned to the application's terminal server. The public address also maps to other terminal servers that aren't hosting the application. The firewall, using its round-robin or other preconfigured method for resolving public addresses, routes the user to one of the terminal servers that doesn't have the application. The application fails to launch.
To avoid this problem, you can host all applications on all terminal servers. Or, if you haven't already done so, you can divide your terminal servers into farms and make sure each server in a farm hosts the same applications and resolves to the same public address.
Load Balancing Services: Because a firewall's proxy server uses its own preconfigured method to resolve to its private addresses, if you use one-to-many mappings, DeFrame Load Balancing Services will not ultimately determine which terminal server will be used to run an application. Load Balancing Services will still determine which terminal server is an application's preferred server and the preferred server's public address will be used. However, there is no guarantee that the proxy server will resolve the public address back to the preferred server.
Disconnected Session Tracking Service: If you use one-to-many mappings, when a user disconnects from a session, there is no guarantee (for the same reason mentioned above) that the same terminal server will be used when he or she reconnects. If the user is connected to another terminal server, a new session is opened. If the user happens to be reconnected to the original terminal server and the user's disconnected session has not been reset or timed-out, the same session will be used to avoid creating another session. You can resolve the problem of disconnected sessions accumulating on a terminal server by disallowing disconnected sessions.