Citrix Nfuse

Posted on 2004-11-18
Last Modified: 2010-04-14

could someone explain why some clients at remote sites (internet cafes. hotels etc) cant connect.

the majority of people on remote sites can, but every so often we get places that can't connect, but  do have internet access,

sometimes an ssl  error, sometimes just the hour glass, sometimes nothing, (we do have peopl using the system all the time and is working whilst theses errors are happerning so i doubt its at our end.
I was under the impression that it all worked under port 80 as far as the client was concernd, so cant see what would be stoping it working.

any ideas,

using Citrix frx

clients do connect to CSG first ratherthan the web server.

and we do use NAT but CSG and Web server are on a card of there own on the firewall.
Question by:mhamer

    Author Comment

    would the clinets firewall need to have any other oports thatn 80 open for nfuise to work?

    is there anyway nfuse willwork only through port 80?
    LVL 3

    Accepted Solution

    Found this at

    Sounds like the Hotels/Internet Cafes etc. Might only have port 80 open period?

    Citrix has its own proprietary gateway andticketing service called Citrix Secure Gateway (CSG) that it uses to
    authenticate sessions and proxy sessions on port 443 for connection to backend Citrix Metaframe servers listening on TCP 1494 (ICA).  Inessence:

    1)      A user connects to a portal server (Citrix Nfuse on port 80 or443) using user credentials (plus SecureID if required).
    2)      After login the request is passed to a proprietary ticketing authority and a ticket is generated.  If authentication is successful half of the ticket is returned to the client and the other to the CSG server.  At the same time the Metaframe farm is queried for apps accessible to the user and using JAVA script a web page is created on the fly and returned to the user.
    3)      Once the user clicks on an app icon an ICA file containing info about the app and connection is generated to allow connection on 443 to the CSG server.
    4)      At the CSG server the halves of the tickets are compared and if they match the CSG server proxies the connection to the Metaframe farm via ICA.

    All connections from the external network(s) can use SSL and thus only 443 needs to be opened to the Nfuse Portal and the CSG servers sitting in a DMZ.  Port 80 needs to be open from the portal in the DMZ to Metaframe (ICA) farm on the internal network.  ICA (1494) needs to be open from the CSG box in the DMZ to the Metaframe (ICA) farm on the internal network.  I am told that the port 80 connections will be replaced with SSL ability in the next release.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    This post first appeared at Oracleinaction  ( Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now