Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Citrix over Firewall-1 4.0 (on Nokia 330)

Posted on 2001-06-05
Medium Priority
Last Modified: 2013-11-16
Has anyone set this up?
I am intending to do the following and what to know if its right....

Setup services:
ICA_TCP   = TCP 1494
ICA_UDP   = UDP 1604
ICA_RANGE = Range 1023-65535

Then add the following rules:
Citrix-EXT --> Citrix-INT = Allow ICA_TCP, ICA_UDP
Citrix-INT --> Citrix-EXT = Allow ICA_UDP, ICA_RANGE

This seems to make sense from the citrix docs:
The following is a list of TCP/IP and UDP ports that must be open on firewalls and routers for ICA packets to pass through:

TCP/IP port 1494 (inbound)
UDP port 1604 (inbound and outbound)
Outbound (from the server to the client) ports 1023 and above (a maximum of 65535) for TCP/IP.

Question by:Wandering_Wizard
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Expert Comment

ID: 6158177
To make Citrix/metaframe work through a Firewall with NAT enabled, you may run into a problem.  On the citrix box (metaframe server) you may have to run the following administrative command:

     altaddr /set

This may solve a "can't connect" error message on an inbound TCP (port 1494) call from an ICA client to a metaframe server.  In the example above the real (private) IP address of the metaframe box is  The IP number is the virtual (registered/routeable) IP address.  So change these IP numbers to the appropriate ones used on your citrix box.
Also, check to make sure the IP routes are setup properly on the metraframe box to route through the firewall.  

On the Citrix client, you need to activate the "Access Metaframe through Firewall" option.

If you are using the web server front-end to Citrix, then add the following line to the appropriate ICA file on the web server:

Citrix Master Browser Broadcast Question:

Can the Citrix UDP port 1604 be successfully firewalled/ NAT'ed?


You can't really use citrix udp port 1604 through a router or firewall.

The UDP port 1604 is used by a citrix client to find an ICA server via a LAN broadcast.  When the client first starts up, it sends an IP broadcast message to port 1604 via UDP/IP.  All citrix boxes that see this broadcast respond.  They also send to the ICA client the list of "Published Applications".

When an ICA client comes from a different IP subnet, a broadcast packet won't reach the ICA servers (unless the router[s] between them do something like forward broadcasts).  When you come through a firewall with NAT, the situation gets worse because of the IP addresses being changed.  To work around this, you need to modify the ICA client:

1) In the ICA client "Remote Application Manager" pull down the menu "Options" and select the "Settings" menu item;
2) In the "Server Location" tab select the "TCP/IP" Network Protocol;
3) By default you should see "(Auto-Locate)" in the Address List.  You can't use this since broadcast packets won't go anywhere across the Internet.  You need to "Add..." the citrix server name[s] or IP addresses in this list.
4) Checkmark the "Use alternate address for firewall connection" if you have NAT enabled on the Firewall between the ICA client and the ICA server.

This should allow the ICA client to see the "Published Applications" and get to the various ICA servers.


Accepted Solution

dimman earned 300 total points
ID: 6188361
Just a comment..
First of all you are opening upp to mutch..
Second of all.. are you going to download the clients over the connection or not? Web client? You might have to open upp for the Active X compenent, if you are going to do a remote download. Usually this should not be a problem for Checkpoint FW-1

Third) Most of the problems Housenet described above is if you are using a PROXY and especiallt Microsoft Proxy2. It depends how the proxy handles information which is  different that firewalls (NAT or NOT NAT).

Fourth) The new ICA (6.01 something)client allows you to brows for published applications using HTTP.

You should be fine with just TCP 1494. Se if Checkpoing already have a rule for this.. maybee called ICA ???
LVL 23

Expert Comment

by:Tim Holman
ID: 6190012
Make sure both of these ports apply to Citrix users only.
You don't want just anybody to be able to access these ports.
1604 will tell an intruder about your Citrix infrastructure.
If running Citrix over the Internet, best tunnel it through a VPN or use Secure ICA (I think that's what Citrix call their encrypted protocol?).

Author Comment

ID: 6217974
Thanks for the suggestion of just using 1494 its working fine.

Checkpoint didn't have a rule for this so i just entered it

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question