Solved

Citrix over Firewall-1 4.0 (on Nokia 330)

Posted on 2001-06-05
4
452 Views
Last Modified: 2013-11-16
Has anyone set this up?
I am intending to do the following and what to know if its right....

Setup services:
ICA_TCP   = TCP 1494
ICA_UDP   = UDP 1604
ICA_RANGE = Range 1023-65535

Then add the following rules:
Citrix-EXT --> Citrix-INT = Allow ICA_TCP, ICA_UDP
Citrix-INT --> Citrix-EXT = Allow ICA_UDP, ICA_RANGE

This seems to make sense from the citrix docs:
The following is a list of TCP/IP and UDP ports that must be open on firewalls and routers for ICA packets to pass through:

TCP/IP port 1494 (inbound)
UDP port 1604 (inbound and outbound)
Outbound (from the server to the client) ports 1023 and above (a maximum of 65535) for TCP/IP.



Thanks
Matt
0
Comment
Question by:Wandering_Wizard
4 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 6158177
To make Citrix/metaframe work through a Firewall with NAT enabled, you may run into a problem.  On the citrix box (metaframe server) you may have to run the following administrative command:

     altaddr /set 10.1.1.3 207.122.202.3

This may solve a "can't connect" error message on an inbound TCP (port 1494) call from an ICA client to a metaframe server.  In the example above the real (private) IP address of the metaframe box is 10.1.1.3.  The IP number 207.122.202.3 is the virtual (registered/routeable) IP address.  So change these IP numbers to the appropriate ones used on your citrix box.
 
Also, check to make sure the IP routes are setup properly on the metraframe box to route through the firewall.  

On the Citrix client, you need to activate the "Access Metaframe through Firewall" option.

If you are using the web server front-end to Citrix, then add the following line to the appropriate ICA file on the web server:
UseAlternateAddress=1


Citrix Master Browser Broadcast Question:

Can the Citrix UDP port 1604 be successfully firewalled/ NAT'ed?

Answer:

You can't really use citrix udp port 1604 through a router or firewall.

The UDP port 1604 is used by a citrix client to find an ICA server via a LAN broadcast.  When the client first starts up, it sends an IP broadcast message to port 1604 via UDP/IP.  All citrix boxes that see this broadcast respond.  They also send to the ICA client the list of "Published Applications".

When an ICA client comes from a different IP subnet, a broadcast packet won't reach the ICA servers (unless the router[s] between them do something like forward broadcasts).  When you come through a firewall with NAT, the situation gets worse because of the IP addresses being changed.  To work around this, you need to modify the ICA client:

1) In the ICA client "Remote Application Manager" pull down the menu "Options" and select the "Settings" menu item;
2) In the "Server Location" tab select the "TCP/IP" Network Protocol;
3) By default you should see "(Auto-Locate)" in the Address List.  You can't use this since broadcast packets won't go anywhere across the Internet.  You need to "Add..." the citrix server name[s] or IP addresses in this list.
4) Checkmark the "Use alternate address for firewall connection" if you have NAT enabled on the Firewall between the ICA client and the ICA server.

This should allow the ICA client to see the "Published Applications" and get to the various ICA servers.



0
 
LVL 1

Accepted Solution

by:
dimman earned 100 total points
ID: 6188361
Hello..
Just a comment..
First of all you are opening upp to mutch..
Second of all.. are you going to download the clients over the connection or not? Web client? You might have to open upp for the Active X compenent, if you are going to do a remote download. Usually this should not be a problem for Checkpoint FW-1

Third) Most of the problems Housenet described above is if you are using a PROXY and especiallt Microsoft Proxy2. It depends how the proxy handles information which is  different that firewalls (NAT or NOT NAT).

Fourth) The new ICA (6.01 something)client allows you to brows for published applications using HTTP.

You should be fine with just TCP 1494. Se if Checkpoing already have a rule for this.. maybee called ICA ???
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 6190012
Make sure both of these ports apply to Citrix users only.
You don't want just anybody to be able to access these ports.
1604 will tell an intruder about your Citrix infrastructure.
If running Citrix over the Internet, best tunnel it through a VPN or use Secure ICA (I think that's what Citrix call their encrypted protocol?).
0
 
LVL 1

Author Comment

by:Wandering_Wizard
ID: 6217974
Thanks for the suggestion of just using 1494 its working fine.

Checkpoint didn't have a rule for this so i just entered it
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now