Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Citrix Client Access Through ISA 2004 via Cisco VPN

Posted on 2009-07-14
Medium Priority
Last Modified: 2012-05-07
We have a user who needs to access Citrix at a remote site.  The IT team at the remote site installed the Citrix software, a VoIP Softphone and a Cisco vpn client.

At our local site we have a PIX501 sitting in front of ISA2004 (inside SBS2003) so all our outbound traffic goes through ISA then the PIX.  I created an ISA allow rule (name : Cisco Outbound) for Cisco vpn protocols and now the user can make the vpn tunnel.  He can now connect to their VoIP PBX and make/receive calls via the softphone, so from this i believe the ISA 'Cisco Outbound' rule is working just fine as traffic is moving fine.

Now when the user tries to connect to Citrix (this is configured to look for the remote site internal ip), open opening Word 2007 he receives an error :

'Cannot connect to the Citrix Presentation Server'

I created a rule (Citrix Outbound) to allow internal>External access to the ICA protocol (TCP 1494 / UDP 1604). I can ping the two IP remote internal addresses set in the Citrix settings, however when i try to telnet to port 1494 i don't have a success.  I watch ISA monitoring and can see that 'Cisco Outbound' connects fine but then 'Citrix Outbound' rule 'initialise connection' shows for port 1494 to the remote internal ip address but after 10-20 seconds the connection is closed. There is currently no 'denied connection' or other error, just two lines one to initialise, one to close.

If we simply right click the ISA firewall client on the user laptop and click disable the firewall client, cisco vpn connects (activity shown in ISA monitor) and telnet works just fine (i see ICAICAICAICA in the window) but no activity to monitor in ISA relating to the telnet.

If we disconnect the user from our domain and he uses 'another' internet connection (that avoids our ISA server) then everything works as it should.

So process of elimination suggests ISA is causing problems here, what do i need to do to resolve ?

Couple of questions ..

1) Should i be seeing in ISA the traffic that should be 'inside' the Cisco vpn ? (ie the traffic to the remote internal server ip) ?

2) What else needs setting in ISA to allow ICA to fully communicate 'back home' ?
Question by:bbgdist
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 29

Accepted Solution

pwindell earned 2000 total points
ID: 24861445
Get rid if the "Citrix Outbound Rule".  This traffic does not "use" the ISA.
The root of the problem,...You did not add the "Remote Internal IP Range" to the ISA's Internal Network Defintion.
ISA does not "route" this traffic,...the local "VPN Client" on the user's machine does,...ISA never "sees" the traffic inside the Tunnel, therefore the ISA can't possibly make decisions about the traffic.  By adding the remote internal ip range to the Internal Network keeps the Firewall Client running on the user's machine from "getting in the way".
So process of elimination suggests ISA is causing problems here, what do i need to do to resolve ?
ISA is not the problem,...the Client is the problem becuase it s sending the traffic to the ISA when it is not supposed to, is supposed to pass the inner-tunnel traffic into the local Cisco VPN Client which then in thrun "inserts" the traffic into the Tunnel.  The ISA is not supposed to be involved, does not know what to do the the "inner-tunnel traffic",..and it is not supposed to know, is never supposed to see it.  
So add the remote internal private ip range to the ISA's internal Network Defintion so that the Firewall Client on the user's machine will respond correctly by just simply "staying out of the way".

Author Comment

ID: 24866736
So i guess i was barking up the wrong tree, or at least the one next to the solution!

i have added the additional ip range to the ISA internal network range and can now telnet to remote ip port 1494 successfully with the firewall client 'enabled, so all that remains is to test the citrix itself when the user returns to the office later today.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop, Citrix Studio, Citrix Policies, Citrix XenApp
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question