?
Solved

Citrix Client through ISA Server

Posted on 2006-05-02
53
Medium Priority
?
1,713 Views
Last Modified: 2008-11-18
I need to access an External Citrix server using Citrix Client through the ISA Server.  I have read up on what needs to be done, but it still isn't working.  Can someone please give me the exact steps to take?  Thank you very much!

Bridget
0
Comment
Question by:bridgetimiller
  • 17
  • 15
  • 11
  • +2
53 Comments
 
LVL 5

Accepted Solution

by:
shankshank earned 500 total points
ID: 16589591
Citrix ICA uses port 1494, SSL 443, http 80

1494 is required, and the rest depend on your setup.

Are you trying to access outside your network, through an ISA server, to an external server? Then make sure in the firewall / ISA allow 1494 through.

0
 
LVL 5

Expert Comment

by:shankshank
ID: 16589595
Just remmeber, not 1494 outbound, but also inbound, because that is the port the steady connection is made thru
0
 

Author Comment

by:bridgetimiller
ID: 16589613
I am by no means an ISA server expert.  In fact, I'm quite the beginner :)  The Citrix server we want to access is External.  We use an ISA server for our firewall.  Can you please give me specific instructions to do the above?

Thanks!
Bridget
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:shankshank
ID: 16589632
Well  basically you need to create a rule that allows that port through, i don't have ISA in front of me, but let me see if I can find more information

I assume you are running ISA 2004?
0
 
LVL 5

Expert Comment

by:shankshank
ID: 16589642
This may help

1. Open the ISA 2004 management console. Navigate to Firewall Policy, right
click it and select New->Access Rule.
2. Type a descriptive name for the access rule and click Next.
3. Choose Allow and click Next.
4. Under "This rule applies to" option, choose "Selected protocols" and
then select the protocol (if the protocol does not exist, you can new a
protocol).
5. Click Ports and you can type the port and then click Next.
6. On the Access Rule Sources page, add "Internal" and click Next.
7. On the Access Rule Destinations page, add destination and click Next.
8. Apply this rule to the Users and Finish the Wizard.
9. Move this rule to the top.
0
 

Author Comment

by:bridgetimiller
ID: 16589719
Yes, ISA 2004. What protocol is port 1494 associated with?

Thanks!
0
 
LVL 5

Expert Comment

by:shankshank
ID: 16589747
1494 is what ICA uses, Citrix IC cleint
0
 

Author Comment

by:bridgetimiller
ID: 16589771
In step 4, you say "4. Under "This rule applies to" option, choose "Selected protocols" and then select the protocol (if the protocol does not exist, you can new a protocol)."  Just wondering which protocol to use?  I'm probably just confused.
0
 
LVL 5

Expert Comment

by:shankshank
ID: 16589788
I foudn those instructions online, but.

If you don't see port 1494 and ICA, what do you see, TCP, UDP?
0
 
LVL 5

Expert Comment

by:shankshank
ID: 16589794
You can create a new port, TCP, and specifiy 1494.


0
 

Author Comment

by:bridgetimiller
ID: 16589825
I have a huge list of protocols - RDP, HTTP, FTP, UDP, Terminal Services, TCP, etc. etc. etc.  I tried just adding a port, but it said I must have a protocol chosen.
0
 

Author Comment

by:bridgetimiller
ID: 16589833
Unfortunately, there isn't a standard TCP protocol already there.  There are a bunch that say "Something (TCP)".  Should I add TCP as a brand new one solo?
0
 
LVL 5

Expert Comment

by:shankshank
ID: 16589837
yes
0
 
LVL 5

Expert Comment

by:shankshank
ID: 16589847
Choose TCP and see if you can enter in 1494, does it allow you to do that?
0
 

Author Comment

by:bridgetimiller
ID: 16589895
That didn't work.  We can't even get the server listed in the server location of the Citrix Program Neighborhood when trying to add the connection.
0
 
LVL 5

Expert Comment

by:shankshank
ID: 16589941
did you specify the server IP during the ISA wizard
0
 

Author Comment

by:bridgetimiller
ID: 16589997
Not during the ISA wizard, but during the ICA wizard.
0
 
LVL 3

Assisted Solution

by:Sanx69
Sanx69 earned 500 total points
ID: 16590653
Unless there's a DNS alias - ica.xxx.xxx - on your internal network pointing to the Citrix server you want to use, you won't see the server name appear automagically in the server location field of Citrix Program Neighbourhood. This is unlikely, as the server's external. You'll need to populate the server location field yourself, and make sure you also allow port 80 and 443 (actually only one may be needed, but do both to be on the safe side) outbound to the Citrix server.
0
 

Author Comment

by:bridgetimiller
ID: 16590688
I actually have been adding the IP address of the server in there manually.  If I add in the public IP of the server and the IP of the website running on the server, it lets me connect.  Do you think it could be a timing out issue with the IPs?
0
 
LVL 3

Expert Comment

by:Sanx69
ID: 16591832
"If I add in the public IP of the server and the IP of the website running on the server, it lets me connect.  Do you think it could be a timing out issue with the IPs?"

That sounds like what you'd have to do anyway to connect to an external citrix box. if this works, your ISA server's already allowing outgoing connections.

What EXACTLY is the system not doing?
0
 

Author Comment

by:bridgetimiller
ID: 16596338
It only connects on my XP machine inside the domain if I put in the IP of the server and the IP of the website.  I have a standalone machine running directly to a 2nd dsl in our office and it only needs one IP to connect, not two.  Also, when the XP machine in the domain connects, it is super slow, whereas the standalone is quick.
0
 
LVL 6

Assisted Solution

by:kane77573
kane77573 earned 500 total points
ID: 16616800
can u even telnet to that publi ip from within ur lan on either machine
do this
start
run
cmd
telnet x.x.x.x 1494
1604 is udp for the master browser
see if you can telnet from both machines to the public ip
if not then you still have an isa problem
are you running any cisco switches with vlans and access list?
do a tracert to that public ip and see if there are any huge delays in ms from your lan to there.
0
 
LVL 6

Expert Comment

by:kane77573
ID: 16617421
Sorry,
telnet x.x.x.x is the public ip you are trying to hit .
if you can see if they can send you an ica file and launch it, and open it with notepad and change RemoveICAFile=yes to no
0
 

Author Comment

by:bridgetimiller
ID: 16618334
I'm not very knowledgable with telnet, but I just did it and it keeps saying ICAICAICA on the same line.  How do I copy in the command prompt?  I did the tracert and it slowed down to the 300-400ms range when it hit our internet connection within Chicago and then sped up again to 33ms when it got to our server in VA.
0
 
LVL 6

Expert Comment

by:kane77573
ID: 16623322
give me the tracert
if you got icaica  then you made a connection to that public ip via port 1494
so it is working as citrix works through port 1494, so you have a connection
the 300-400ms is lags between the router hops from your lan all the way to that public ip.
300-400ms is not good
most maybe id say is 60 -80 at worst
not 400
post a tracert
start | type Cmd hit enter | type tracert x.x.x.x  and post results
0
 

Author Comment

by:bridgetimiller
ID: 16634215
Here it is.  I even figured out how to copy it from cmd :)  It's much faster today.

Tracing route to 161.58.181.253 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  netserver2.actdomain.local [192.168.110.2]
  2     1 ms     1 ms     1 ms  w049.z066088063.chi-il.dsl.cnc.net [66.88.63.49]

  3    11 ms    12 ms    12 ms  w001.z064221068.chi-il.dsl.cnc.net [64.221.68.1]

  4     9 ms     9 ms     9 ms  ge5-0-0.MAR2.Chicago-IL.us.xo.net [207.88.84.21]

  5     9 ms     9 ms    10 ms  p5-2-0-3.RAR2.Chicago-IL.us.xo.net [65.106.6.153
]
  6   102 ms    21 ms    10 ms  p1-0.IR1.Chicago2-IL.us.xo.net [65.106.6.138]
  7    10 ms    10 ms    10 ms  ge-4-3-0.r00.chcgil06.us.bb.verio.net [206.223.1
19.12]
  8    11 ms    11 ms    11 ms  xe-0-1-0.r21.chcgil06.us.bb.verio.net [129.250.2
.25]
  9    32 ms    32 ms    32 ms  p16-2-3-0.r21.asbnva01.us.bb.verio.net [129.250.
5.103]
 10    31 ms    31 ms    31 ms  xe-2-0-0.r20.asbnva01.us.bb.verio.net [129.250.2
.16]
 11    31 ms    31 ms     *     xe-1-1.r01.stngva01.us.bb.verio.net [129.250.2.8
5]
 12    32 ms    31 ms    33 ms  mg-1.c00.stngva01.us.da.verio.net [129.250.28.20
2]
 13    32 ms    31 ms    31 ms  161.58.156.157
 14    32 ms    32 ms    32 ms  161.58.181.253

Trace complete.

C:\Documents and Settings\bridget.ACTDOMAIN>tracert 161.58.181.253
0
 
LVL 6

Expert Comment

by:kane77573
ID: 16638939
maybe there was a bad router in its path no the way there that day, any huge spike in ms will cause great delay, i currently have my citrix servers setup at home via a cisco router 2611 dsl only 1.5mb/512 speed, works fine
i can have u test it with mine, i can send u an ica file and see if the app launces.
can you have this place give u an ica file, or can u log in to there web interface if they have one and right click the app save as ica file?
if you can do that we can do more testing.
0
 
LVL 6

Expert Comment

by:kane77573
ID: 16645233
any luck yet?
0
 

Author Comment

by:bridgetimiller
ID: 16649277
I emailed the instructions to my boss since I don't know how to do this and I haven't heard back yet.  I'll ask him in a bit.  Thanks for checking up :)
0
 
LVL 6

Expert Comment

by:kane77573
ID: 16650607
well if me and u could communicate i can get that file and configure it for u and send u it and have u test it, not sure if thats allowed here
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16651649
why dont you just vpn on your network through isa and connect to citrix from there? probably be more secure then publishing ports wide open and publishing your citrix server to the outside world.
0
 
LVL 3

Expert Comment

by:Sanx69
ID: 16652693
Micromarch, the question states that he's trying to access an /external/ Citrix server. Don't think VPNing would help much there.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16652742
oh my bad. didnt read that correctly. i thaught the opposite. sorry.
0
 

Author Comment

by:bridgetimiller
ID: 16658301
Kane - I have access to the Citrix server via remote desktop.  Would that help?

Thanks :)
Bridget
0
 
LVL 2

Assisted Solution

by:micromarch
micromarch earned 500 total points
ID: 16658329
in your citrix server on a lan or does it have a public ip address? if it has a public ip address and is addressed on you isa server then you could simply open the ports needed for citrix, otherwise you will have to publish the server to the isa server and open the proper ports through isa.
0
 

Author Comment

by:bridgetimiller
ID: 16658785
It has a public IP.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16658833
well then your job is easy. all you have to do is open the ports in order for clients to access your citrix server on your isa server 2004. You will have to open the ports inbound. if you do knot know how to open ports through your isa server here is a link you might want to check. www.isaserver.org they have great articles on how to's.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16658880
oh by the way, which citrix client are you using? the web client? if so, you must open port 1494.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16658922
heres another article you might like. it will go step by step with you how to do so.
http://support.microsoft.com/default.aspx?scid=kb;en-us;837739

0
 
LVL 2

Expert Comment

by:micromarch
ID: 16658924
if your citrix server resides on the isa, u can skip step 2.
0
 

Author Comment

by:bridgetimiller
ID: 16659904
If we're using Citrix Presentation Server, should I still use the tips in the article you linked?

Thanks!
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16660168
yeah should still be the same ports.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16660223
you might need to open port 1604 as well.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16660243
just a question, why is the citrix server on the isa server? if i were you for security purposes, i would put the citrix server behind the isa firewall and publish it through isa. That way only those ports are wide open to your citrix server and no wheres else.
0
 
LVL 6

Expert Comment

by:kane77573
ID: 16661137
birdget - yes that would help, is it allowed they we work on this outside of EE? I can give you my aim sn or some info
0
 
LVL 5

Expert Comment

by:shankshank
ID: 16661178
did you read this whole post, the concept of opening ports on ISA2004 was already decided as the problem lol
0
 

Author Comment

by:bridgetimiller
ID: 16667871
I'm not sure if that is allowed...I don't see why not.

The Citrix server is not at our location.  It is a dedicated server hosted off site.  We have to go through ISA to get to the internet here at my office.  

Since I'm not publishing the Citrix server behind the ISA server, I just need to get through the ISA server with the client.

Perhaps this will help - when we log in to specific email accounts, it takes considerably longer to login than when I login at home.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16667988
oh so your the one with isa server, and your trying to conect to one in a remote location well that makes a difference now. it should be exactly the same exept when you open your ports, specify oubound. if your not too sure about the ports, im sure your citrix client must have a manual specifying which ports need to be open in order to be able to access it.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16668000
http://ctxex10.citrix.com/kb/entry.jspa?externalID=CTX104998
i think this will help you with your problem.
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16668005
0
 

Author Comment

by:bridgetimiller
ID: 16668023
I tried that awhile ago, but when I do, it tells me tpr.Save isn't a valid command....
0
 
LVL 2

Expert Comment

by:micromarch
ID: 16669823
http://www.isaserver.org/articles/2004tunnelportrange.html
is the citrix server using a different port besides standard ssl port 443?
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.html) because one time I did this and I essentially had a bricked …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question