[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Citrix over Firewall-1 4.0 (on Nokia 330)

Posted on 2001-06-05
Medium Priority
Last Modified: 2013-11-16
Has anyone set this up?
I am intending to do the following and what to know if its right....

Setup services:
ICA_TCP   = TCP 1494
ICA_UDP   = UDP 1604
ICA_RANGE = Range 1023-65535

Then add the following rules:
Citrix-EXT --> Citrix-INT = Allow ICA_TCP, ICA_UDP
Citrix-INT --> Citrix-EXT = Allow ICA_UDP, ICA_RANGE

This seems to make sense from the citrix docs:
The following is a list of TCP/IP and UDP ports that must be open on firewalls and routers for ICA packets to pass through:

TCP/IP port 1494 (inbound)
UDP port 1604 (inbound and outbound)
Outbound (from the server to the client) ports 1023 and above (a maximum of 65535) for TCP/IP.

Question by:Wandering_Wizard
LVL 12

Expert Comment

ID: 6158177
To make Citrix/metaframe work through a Firewall with NAT enabled, you may run into a problem.  On the citrix box (metaframe server) you may have to run the following administrative command:

     altaddr /set

This may solve a "can't connect" error message on an inbound TCP (port 1494) call from an ICA client to a metaframe server.  In the example above the real (private) IP address of the metaframe box is  The IP number is the virtual (registered/routeable) IP address.  So change these IP numbers to the appropriate ones used on your citrix box.
Also, check to make sure the IP routes are setup properly on the metraframe box to route through the firewall.  

On the Citrix client, you need to activate the "Access Metaframe through Firewall" option.

If you are using the web server front-end to Citrix, then add the following line to the appropriate ICA file on the web server:

Citrix Master Browser Broadcast Question:

Can the Citrix UDP port 1604 be successfully firewalled/ NAT'ed?


You can't really use citrix udp port 1604 through a router or firewall.

The UDP port 1604 is used by a citrix client to find an ICA server via a LAN broadcast.  When the client first starts up, it sends an IP broadcast message to port 1604 via UDP/IP.  All citrix boxes that see this broadcast respond.  They also send to the ICA client the list of "Published Applications".

When an ICA client comes from a different IP subnet, a broadcast packet won't reach the ICA servers (unless the router[s] between them do something like forward broadcasts).  When you come through a firewall with NAT, the situation gets worse because of the IP addresses being changed.  To work around this, you need to modify the ICA client:

1) In the ICA client "Remote Application Manager" pull down the menu "Options" and select the "Settings" menu item;
2) In the "Server Location" tab select the "TCP/IP" Network Protocol;
3) By default you should see "(Auto-Locate)" in the Address List.  You can't use this since broadcast packets won't go anywhere across the Internet.  You need to "Add..." the citrix server name[s] or IP addresses in this list.
4) Checkmark the "Use alternate address for firewall connection" if you have NAT enabled on the Firewall between the ICA client and the ICA server.

This should allow the ICA client to see the "Published Applications" and get to the various ICA servers.


Accepted Solution

dimman earned 300 total points
ID: 6188361
Just a comment..
First of all you are opening upp to mutch..
Second of all.. are you going to download the clients over the connection or not? Web client? You might have to open upp for the Active X compenent, if you are going to do a remote download. Usually this should not be a problem for Checkpoint FW-1

Third) Most of the problems Housenet described above is if you are using a PROXY and especiallt Microsoft Proxy2. It depends how the proxy handles information which is  different that firewalls (NAT or NOT NAT).

Fourth) The new ICA (6.01 something)client allows you to brows for published applications using HTTP.

You should be fine with just TCP 1494. Se if Checkpoing already have a rule for this.. maybee called ICA ???
LVL 23

Expert Comment

by:Tim Holman
ID: 6190012
Make sure both of these ports apply to Citrix users only.
You don't want just anybody to be able to access these ports.
1604 will tell an intruder about your Citrix infrastructure.
If running Citrix over the Internet, best tunnel it through a VPN or use Secure ICA (I think that's what Citrix call their encrypted protocol?).

Author Comment

ID: 6217974
Thanks for the suggestion of just using 1494 its working fine.

Checkpoint didn't have a rule for this so i just entered it

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question