Citrix over Firewall-1 4.0 (on Nokia 330)

Has anyone set this up?
I am intending to do the following and what to know if its right....

Setup services:
ICA_TCP   = TCP 1494
ICA_UDP   = UDP 1604
ICA_RANGE = Range 1023-65535

Then add the following rules:
Citrix-EXT --> Citrix-INT = Allow ICA_TCP, ICA_UDP
Citrix-INT --> Citrix-EXT = Allow ICA_UDP, ICA_RANGE

This seems to make sense from the citrix docs:
The following is a list of TCP/IP and UDP ports that must be open on firewalls and routers for ICA packets to pass through:

TCP/IP port 1494 (inbound)
UDP port 1604 (inbound and outbound)
Outbound (from the server to the client) ports 1023 and above (a maximum of 65535) for TCP/IP.

Who is Participating?
dimmanConnect With a Mentor Commented:
Just a comment..
First of all you are opening upp to mutch..
Second of all.. are you going to download the clients over the connection or not? Web client? You might have to open upp for the Active X compenent, if you are going to do a remote download. Usually this should not be a problem for Checkpoint FW-1

Third) Most of the problems Housenet described above is if you are using a PROXY and especiallt Microsoft Proxy2. It depends how the proxy handles information which is  different that firewalls (NAT or NOT NAT).

Fourth) The new ICA (6.01 something)client allows you to brows for published applications using HTTP.

You should be fine with just TCP 1494. Se if Checkpoing already have a rule for this.. maybee called ICA ???
To make Citrix/metaframe work through a Firewall with NAT enabled, you may run into a problem.  On the citrix box (metaframe server) you may have to run the following administrative command:

     altaddr /set

This may solve a "can't connect" error message on an inbound TCP (port 1494) call from an ICA client to a metaframe server.  In the example above the real (private) IP address of the metaframe box is  The IP number is the virtual (registered/routeable) IP address.  So change these IP numbers to the appropriate ones used on your citrix box.
Also, check to make sure the IP routes are setup properly on the metraframe box to route through the firewall.  

On the Citrix client, you need to activate the "Access Metaframe through Firewall" option.

If you are using the web server front-end to Citrix, then add the following line to the appropriate ICA file on the web server:

Citrix Master Browser Broadcast Question:

Can the Citrix UDP port 1604 be successfully firewalled/ NAT'ed?


You can't really use citrix udp port 1604 through a router or firewall.

The UDP port 1604 is used by a citrix client to find an ICA server via a LAN broadcast.  When the client first starts up, it sends an IP broadcast message to port 1604 via UDP/IP.  All citrix boxes that see this broadcast respond.  They also send to the ICA client the list of "Published Applications".

When an ICA client comes from a different IP subnet, a broadcast packet won't reach the ICA servers (unless the router[s] between them do something like forward broadcasts).  When you come through a firewall with NAT, the situation gets worse because of the IP addresses being changed.  To work around this, you need to modify the ICA client:

1) In the ICA client "Remote Application Manager" pull down the menu "Options" and select the "Settings" menu item;
2) In the "Server Location" tab select the "TCP/IP" Network Protocol;
3) By default you should see "(Auto-Locate)" in the Address List.  You can't use this since broadcast packets won't go anywhere across the Internet.  You need to "Add..." the citrix server name[s] or IP addresses in this list.
4) Checkmark the "Use alternate address for firewall connection" if you have NAT enabled on the Firewall between the ICA client and the ICA server.

This should allow the ICA client to see the "Published Applications" and get to the various ICA servers.

Tim HolmanCommented:
Make sure both of these ports apply to Citrix users only.
You don't want just anybody to be able to access these ports.
1604 will tell an intruder about your Citrix infrastructure.
If running Citrix over the Internet, best tunnel it through a VPN or use Secure ICA (I think that's what Citrix call their encrypted protocol?).
Wandering_WizardAuthor Commented:
Thanks for the suggestion of just using 1494 its working fine.

Checkpoint didn't have a rule for this so i just entered it
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.