Citrix Client through ISA Server

I need to access an External Citrix server using Citrix Client through the ISA Server.  I have read up on what needs to be done, but it still isn't working.  Can someone please give me the exact steps to take?  Thank you very much!

Bridget
bridgetimillerAsked:
Who is Participating?
 
shankshankConnect With a Mentor Commented:
Citrix ICA uses port 1494, SSL 443, http 80

1494 is required, and the rest depend on your setup.

Are you trying to access outside your network, through an ISA server, to an external server? Then make sure in the firewall / ISA allow 1494 through.

0
 
shankshankCommented:
Just remmeber, not 1494 outbound, but also inbound, because that is the port the steady connection is made thru
0
 
bridgetimillerAuthor Commented:
I am by no means an ISA server expert.  In fact, I'm quite the beginner :)  The Citrix server we want to access is External.  We use an ISA server for our firewall.  Can you please give me specific instructions to do the above?

Thanks!
Bridget
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
shankshankCommented:
Well  basically you need to create a rule that allows that port through, i don't have ISA in front of me, but let me see if I can find more information

I assume you are running ISA 2004?
0
 
shankshankCommented:
This may help

1. Open the ISA 2004 management console. Navigate to Firewall Policy, right
click it and select New->Access Rule.
2. Type a descriptive name for the access rule and click Next.
3. Choose Allow and click Next.
4. Under "This rule applies to" option, choose "Selected protocols" and
then select the protocol (if the protocol does not exist, you can new a
protocol).
5. Click Ports and you can type the port and then click Next.
6. On the Access Rule Sources page, add "Internal" and click Next.
7. On the Access Rule Destinations page, add destination and click Next.
8. Apply this rule to the Users and Finish the Wizard.
9. Move this rule to the top.
0
 
bridgetimillerAuthor Commented:
Yes, ISA 2004. What protocol is port 1494 associated with?

Thanks!
0
 
shankshankCommented:
1494 is what ICA uses, Citrix IC cleint
0
 
bridgetimillerAuthor Commented:
In step 4, you say "4. Under "This rule applies to" option, choose "Selected protocols" and then select the protocol (if the protocol does not exist, you can new a protocol)."  Just wondering which protocol to use?  I'm probably just confused.
0
 
shankshankCommented:
I foudn those instructions online, but.

If you don't see port 1494 and ICA, what do you see, TCP, UDP?
0
 
shankshankCommented:
You can create a new port, TCP, and specifiy 1494.


0
 
bridgetimillerAuthor Commented:
I have a huge list of protocols - RDP, HTTP, FTP, UDP, Terminal Services, TCP, etc. etc. etc.  I tried just adding a port, but it said I must have a protocol chosen.
0
 
bridgetimillerAuthor Commented:
Unfortunately, there isn't a standard TCP protocol already there.  There are a bunch that say "Something (TCP)".  Should I add TCP as a brand new one solo?
0
 
shankshankCommented:
yes
0
 
shankshankCommented:
Choose TCP and see if you can enter in 1494, does it allow you to do that?
0
 
bridgetimillerAuthor Commented:
That didn't work.  We can't even get the server listed in the server location of the Citrix Program Neighborhood when trying to add the connection.
0
 
shankshankCommented:
did you specify the server IP during the ISA wizard
0
 
bridgetimillerAuthor Commented:
Not during the ISA wizard, but during the ICA wizard.
0
 
Sanx69Connect With a Mentor Commented:
Unless there's a DNS alias - ica.xxx.xxx - on your internal network pointing to the Citrix server you want to use, you won't see the server name appear automagically in the server location field of Citrix Program Neighbourhood. This is unlikely, as the server's external. You'll need to populate the server location field yourself, and make sure you also allow port 80 and 443 (actually only one may be needed, but do both to be on the safe side) outbound to the Citrix server.
0
 
bridgetimillerAuthor Commented:
I actually have been adding the IP address of the server in there manually.  If I add in the public IP of the server and the IP of the website running on the server, it lets me connect.  Do you think it could be a timing out issue with the IPs?
0
 
Sanx69Commented:
"If I add in the public IP of the server and the IP of the website running on the server, it lets me connect.  Do you think it could be a timing out issue with the IPs?"

That sounds like what you'd have to do anyway to connect to an external citrix box. if this works, your ISA server's already allowing outgoing connections.

What EXACTLY is the system not doing?
0
 
bridgetimillerAuthor Commented:
It only connects on my XP machine inside the domain if I put in the IP of the server and the IP of the website.  I have a standalone machine running directly to a 2nd dsl in our office and it only needs one IP to connect, not two.  Also, when the XP machine in the domain connects, it is super slow, whereas the standalone is quick.
0
 
kane77573Connect With a Mentor Commented:
can u even telnet to that publi ip from within ur lan on either machine
do this
start
run
cmd
telnet x.x.x.x 1494
1604 is udp for the master browser
see if you can telnet from both machines to the public ip
if not then you still have an isa problem
are you running any cisco switches with vlans and access list?
do a tracert to that public ip and see if there are any huge delays in ms from your lan to there.
0
 
kane77573Commented:
Sorry,
telnet x.x.x.x is the public ip you are trying to hit .
if you can see if they can send you an ica file and launch it, and open it with notepad and change RemoveICAFile=yes to no
0
 
bridgetimillerAuthor Commented:
I'm not very knowledgable with telnet, but I just did it and it keeps saying ICAICAICA on the same line.  How do I copy in the command prompt?  I did the tracert and it slowed down to the 300-400ms range when it hit our internet connection within Chicago and then sped up again to 33ms when it got to our server in VA.
0
 
kane77573Commented:
give me the tracert
if you got icaica  then you made a connection to that public ip via port 1494
so it is working as citrix works through port 1494, so you have a connection
the 300-400ms is lags between the router hops from your lan all the way to that public ip.
300-400ms is not good
most maybe id say is 60 -80 at worst
not 400
post a tracert
start | type Cmd hit enter | type tracert x.x.x.x  and post results
0
 
bridgetimillerAuthor Commented:
Here it is.  I even figured out how to copy it from cmd :)  It's much faster today.

Tracing route to 161.58.181.253 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  netserver2.actdomain.local [192.168.110.2]
  2     1 ms     1 ms     1 ms  w049.z066088063.chi-il.dsl.cnc.net [66.88.63.49]

  3    11 ms    12 ms    12 ms  w001.z064221068.chi-il.dsl.cnc.net [64.221.68.1]

  4     9 ms     9 ms     9 ms  ge5-0-0.MAR2.Chicago-IL.us.xo.net [207.88.84.21]

  5     9 ms     9 ms    10 ms  p5-2-0-3.RAR2.Chicago-IL.us.xo.net [65.106.6.153
]
  6   102 ms    21 ms    10 ms  p1-0.IR1.Chicago2-IL.us.xo.net [65.106.6.138]
  7    10 ms    10 ms    10 ms  ge-4-3-0.r00.chcgil06.us.bb.verio.net [206.223.1
19.12]
  8    11 ms    11 ms    11 ms  xe-0-1-0.r21.chcgil06.us.bb.verio.net [129.250.2
.25]
  9    32 ms    32 ms    32 ms  p16-2-3-0.r21.asbnva01.us.bb.verio.net [129.250.
5.103]
 10    31 ms    31 ms    31 ms  xe-2-0-0.r20.asbnva01.us.bb.verio.net [129.250.2
.16]
 11    31 ms    31 ms     *     xe-1-1.r01.stngva01.us.bb.verio.net [129.250.2.8
5]
 12    32 ms    31 ms    33 ms  mg-1.c00.stngva01.us.da.verio.net [129.250.28.20
2]
 13    32 ms    31 ms    31 ms  161.58.156.157
 14    32 ms    32 ms    32 ms  161.58.181.253

Trace complete.

C:\Documents and Settings\bridget.ACTDOMAIN>tracert 161.58.181.253
0
 
kane77573Commented:
maybe there was a bad router in its path no the way there that day, any huge spike in ms will cause great delay, i currently have my citrix servers setup at home via a cisco router 2611 dsl only 1.5mb/512 speed, works fine
i can have u test it with mine, i can send u an ica file and see if the app launces.
can you have this place give u an ica file, or can u log in to there web interface if they have one and right click the app save as ica file?
if you can do that we can do more testing.
0
 
kane77573Commented:
any luck yet?
0
 
bridgetimillerAuthor Commented:
I emailed the instructions to my boss since I don't know how to do this and I haven't heard back yet.  I'll ask him in a bit.  Thanks for checking up :)
0
 
kane77573Commented:
well if me and u could communicate i can get that file and configure it for u and send u it and have u test it, not sure if thats allowed here
0
 
micromarchCommented:
why dont you just vpn on your network through isa and connect to citrix from there? probably be more secure then publishing ports wide open and publishing your citrix server to the outside world.
0
 
Sanx69Commented:
Micromarch, the question states that he's trying to access an /external/ Citrix server. Don't think VPNing would help much there.
0
 
micromarchCommented:
oh my bad. didnt read that correctly. i thaught the opposite. sorry.
0
 
bridgetimillerAuthor Commented:
Kane - I have access to the Citrix server via remote desktop.  Would that help?

Thanks :)
Bridget
0
 
micromarchConnect With a Mentor Commented:
in your citrix server on a lan or does it have a public ip address? if it has a public ip address and is addressed on you isa server then you could simply open the ports needed for citrix, otherwise you will have to publish the server to the isa server and open the proper ports through isa.
0
 
bridgetimillerAuthor Commented:
It has a public IP.
0
 
micromarchCommented:
well then your job is easy. all you have to do is open the ports in order for clients to access your citrix server on your isa server 2004. You will have to open the ports inbound. if you do knot know how to open ports through your isa server here is a link you might want to check. www.isaserver.org they have great articles on how to's.
0
 
micromarchCommented:
oh by the way, which citrix client are you using? the web client? if so, you must open port 1494.
0
 
micromarchCommented:
heres another article you might like. it will go step by step with you how to do so.
http://support.microsoft.com/default.aspx?scid=kb;en-us;837739

0
 
micromarchCommented:
if your citrix server resides on the isa, u can skip step 2.
0
 
bridgetimillerAuthor Commented:
If we're using Citrix Presentation Server, should I still use the tips in the article you linked?

Thanks!
0
 
micromarchCommented:
yeah should still be the same ports.
0
 
micromarchCommented:
you might need to open port 1604 as well.
0
 
micromarchCommented:
just a question, why is the citrix server on the isa server? if i were you for security purposes, i would put the citrix server behind the isa firewall and publish it through isa. That way only those ports are wide open to your citrix server and no wheres else.
0
 
kane77573Commented:
birdget - yes that would help, is it allowed they we work on this outside of EE? I can give you my aim sn or some info
0
 
shankshankCommented:
did you read this whole post, the concept of opening ports on ISA2004 was already decided as the problem lol
0
 
bridgetimillerAuthor Commented:
I'm not sure if that is allowed...I don't see why not.

The Citrix server is not at our location.  It is a dedicated server hosted off site.  We have to go through ISA to get to the internet here at my office.  

Since I'm not publishing the Citrix server behind the ISA server, I just need to get through the ISA server with the client.

Perhaps this will help - when we log in to specific email accounts, it takes considerably longer to login than when I login at home.
0
 
micromarchCommented:
oh so your the one with isa server, and your trying to conect to one in a remote location well that makes a difference now. it should be exactly the same exept when you open your ports, specify oubound. if your not too sure about the ports, im sure your citrix client must have a manual specifying which ports need to be open in order to be able to access it.
0
 
micromarchCommented:
http://ctxex10.citrix.com/kb/entry.jspa?externalID=CTX104998
i think this will help you with your problem.
0
 
bridgetimillerAuthor Commented:
I tried that awhile ago, but when I do, it tells me tpr.Save isn't a valid command....
0
 
micromarchCommented:
http://www.isaserver.org/articles/2004tunnelportrange.html
is the citrix server using a different port besides standard ssl port 443?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.