Citrix over Firewall-1 4.0 (on Nokia 330)

Posted on 2001-06-05
Last Modified: 2013-11-16
Has anyone set this up?
I am intending to do the following and what to know if its right....

Setup services:
ICA_TCP   = TCP 1494
ICA_UDP   = UDP 1604
ICA_RANGE = Range 1023-65535

Then add the following rules:
Citrix-EXT --> Citrix-INT = Allow ICA_TCP, ICA_UDP
Citrix-INT --> Citrix-EXT = Allow ICA_UDP, ICA_RANGE

This seems to make sense from the citrix docs:
The following is a list of TCP/IP and UDP ports that must be open on firewalls and routers for ICA packets to pass through:

TCP/IP port 1494 (inbound)
UDP port 1604 (inbound and outbound)
Outbound (from the server to the client) ports 1023 and above (a maximum of 65535) for TCP/IP.

Question by:Wandering_Wizard
LVL 12

Expert Comment

ID: 6158177
To make Citrix/metaframe work through a Firewall with NAT enabled, you may run into a problem.  On the citrix box (metaframe server) you may have to run the following administrative command:

     altaddr /set

This may solve a "can't connect" error message on an inbound TCP (port 1494) call from an ICA client to a metaframe server.  In the example above the real (private) IP address of the metaframe box is  The IP number is the virtual (registered/routeable) IP address.  So change these IP numbers to the appropriate ones used on your citrix box.
Also, check to make sure the IP routes are setup properly on the metraframe box to route through the firewall.  

On the Citrix client, you need to activate the "Access Metaframe through Firewall" option.

If you are using the web server front-end to Citrix, then add the following line to the appropriate ICA file on the web server:

Citrix Master Browser Broadcast Question:

Can the Citrix UDP port 1604 be successfully firewalled/ NAT'ed?


You can't really use citrix udp port 1604 through a router or firewall.

The UDP port 1604 is used by a citrix client to find an ICA server via a LAN broadcast.  When the client first starts up, it sends an IP broadcast message to port 1604 via UDP/IP.  All citrix boxes that see this broadcast respond.  They also send to the ICA client the list of "Published Applications".

When an ICA client comes from a different IP subnet, a broadcast packet won't reach the ICA servers (unless the router[s] between them do something like forward broadcasts).  When you come through a firewall with NAT, the situation gets worse because of the IP addresses being changed.  To work around this, you need to modify the ICA client:

1) In the ICA client "Remote Application Manager" pull down the menu "Options" and select the "Settings" menu item;
2) In the "Server Location" tab select the "TCP/IP" Network Protocol;
3) By default you should see "(Auto-Locate)" in the Address List.  You can't use this since broadcast packets won't go anywhere across the Internet.  You need to "Add..." the citrix server name[s] or IP addresses in this list.
4) Checkmark the "Use alternate address for firewall connection" if you have NAT enabled on the Firewall between the ICA client and the ICA server.

This should allow the ICA client to see the "Published Applications" and get to the various ICA servers.


Accepted Solution

dimman earned 100 total points
ID: 6188361
Just a comment..
First of all you are opening upp to mutch..
Second of all.. are you going to download the clients over the connection or not? Web client? You might have to open upp for the Active X compenent, if you are going to do a remote download. Usually this should not be a problem for Checkpoint FW-1

Third) Most of the problems Housenet described above is if you are using a PROXY and especiallt Microsoft Proxy2. It depends how the proxy handles information which is  different that firewalls (NAT or NOT NAT).

Fourth) The new ICA (6.01 something)client allows you to brows for published applications using HTTP.

You should be fine with just TCP 1494. Se if Checkpoing already have a rule for this.. maybee called ICA ???
LVL 23

Expert Comment

by:Tim Holman
ID: 6190012
Make sure both of these ports apply to Citrix users only.
You don't want just anybody to be able to access these ports.
1604 will tell an intruder about your Citrix infrastructure.
If running Citrix over the Internet, best tunnel it through a VPN or use Secure ICA (I think that's what Citrix call their encrypted protocol?).

Author Comment

ID: 6217974
Thanks for the suggestion of just using 1494 its working fine.

Checkpoint didn't have a rule for this so i just entered it

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools ( The manager and I discussed how sever…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter ( that massive stores of data have been leaked by CloudFlare, a company that provide…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question