Citrix Nfuse


could someone explain why some clients at remote sites (internet cafes. hotels etc) cant connect.

the majority of people on remote sites can, but every so often we get places that can't connect, but  do have internet access,

sometimes an ssl  error, sometimes just the hour glass, sometimes nothing, (we do have peopl using the system all the time and is working whilst theses errors are happerning so i doubt its at our end.
I was under the impression that it all worked under port 80 as far as the client was concernd, so cant see what would be stoping it working.

any ideas,

using Citrix frx

clients do connect to CSG first ratherthan the web server.

and we do use NAT but CSG and Web server are on a card of there own on the firewall.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mhamerAuthor Commented:
would the clinets firewall need to have any other oports thatn 80 open for nfuise to work?

is there anyway nfuse willwork only through port 80?
Found this at

Sounds like the Hotels/Internet Cafes etc. Might only have port 80 open period?

Citrix has its own proprietary gateway andticketing service called Citrix Secure Gateway (CSG) that it uses to
authenticate sessions and proxy sessions on port 443 for connection to backend Citrix Metaframe servers listening on TCP 1494 (ICA).  Inessence:

1)      A user connects to a portal server (Citrix Nfuse on port 80 or443) using user credentials (plus SecureID if required).
2)      After login the request is passed to a proprietary ticketing authority and a ticket is generated.  If authentication is successful half of the ticket is returned to the client and the other to the CSG server.  At the same time the Metaframe farm is queried for apps accessible to the user and using JAVA script a web page is created on the fly and returned to the user.
3)      Once the user clicks on an app icon an ICA file containing info about the app and connection is generated to allow connection on 443 to the CSG server.
4)      At the CSG server the halves of the tickets are compared and if they match the CSG server proxies the connection to the Metaframe farm via ICA.

All connections from the external network(s) can use SSL and thus only 443 needs to be opened to the Nfuse Portal and the CSG servers sitting in a DMZ.  Port 80 needs to be open from the portal in the DMZ to Metaframe (ICA) farm on the internal network.  ICA (1494) needs to be open from the CSG box in the DMZ to the Metaframe (ICA) farm on the internal network.  I am told that the port 80 connections will be replaced with SSL ability in the next release.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.