how VPN network connect to citrix server

Posted on 2009-05-01
Last Modified: 2012-05-06
Deat Expert,

sometime our organisation connect to citrix server from VPN. I want more details about this connectivity and architecture. what are the ports,firewall it passes through to connect citrix and other proceess.

Question by:AJITPADHY
    LVL 8

    Expert Comment

    If you are using Citrix you don't need to VPN to the server.  You should just connect to Citrix through the Web.
    LVL 19

    Expert Comment

    If you need to know the ports (there are several depending on how you use things) here they are for the most part:

    ICA session: 1494-tcp
    ICA session with Session Reliability: 2598-tcp

    Web Interface: 80-tcp
    Web Interface with SSL: 443-tcp

    Secure Gateway/CAG: 443-tcp

    XML browser (default): 80-tcp

    I would actually suggest using the VPN if you have it unless you enable Secure Gateway or CAG; the VPN will be higher security than ICA encryption alone.  The Secure Gateway and CAG will provide 128-bit protocol encryption, not just the session encryption ICA does.  
    LVL 3

    Accepted Solution

    Likely your firewall is providing an IPSEC VPN to your end users.  The ports necessary to be allowed to/by the firewall are ISAKMP, ESP, and probably NAT-T (non500-ISAKMP).  

    These ports are:

    ISAKMP - udp 500
    ESP - IP protocol 50
    NAT-T - udp 4500

    Typical implementations of firewall VPNs issue IP addresses in a range separate from your internal network and then pass traffic back and forth between the networks without NATing it.  The ports listed above are most often terminated on the firewall and traffic is decrypted before being passed to your internal servers; return traffic is, in turn, encrypted before passing it back to the end user's computer.

    Author Closing Comment


    Author Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
    Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now