RE: Citrix ICA through port 80?

From: Henry Sieff (hsieffat_private)
Date: Sun Feb 13 2000 - 11:10:07 PST

Next message: Philip J. Koenig: "Re: Recent Attacks"

Previous message: Michael B. Rash: "Re: Automated IDS response"
Maybe in reply to: SF BA: "Citrix ICA through port 80?"
Next in thread: Lance Spitzner: "Re: Citrix ICA through port 80?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: SF BA [mailto:sfba121at_private]
> Sent: Thursday, February 10, 2000 7:25 PM
> To: firewall-wizardsat_private
> Subject: Citrix ICA through port 80?
> 
> 
> I know that some of you will consider this a bad thing
> ... that aside, I still need to figure out my options.
> 
> We have a demo that runs on Windows Terminal Server
> and Citrix MetaFrame.  Some of our potential customers
> have firewalls setup that block their users from going
> out on unknown ports (if they don't have Citrix
> installed already, then they'll block the ports that
> ICA uses).
> 
> I was wondering ... is there a way to set things up so
> that people can connect to our terminal server without
> having to involve their IS departments?  Tunneling
> over http on port 80, perhaps?

Here's the deal with ICA.
Client browses ICA master browser for app: UDP 1604
Client establishes connection with server on which app resides: TCP 1494(by
default)
Client requests communication back on randomly (sort of) chosen High Port
(TCP/UDP gt than 1023).

Now, you can change the port use that #2 uses using the icaport command to
whatever you want. (note that even if your app is embedded in a web page,
these ports still need to be open to the TS.)

The problem, for you and the customers IS department is:
They'll need to open up UDP 1604 and TCP 1494(by default) outbound and
tcp/udp gt then 1023 inbound to the users hosts who will be accessing these
apps. (note that since the client actually initiates this connection as
well, you may not have a problem if they allow any established, I think. I'd
need to check that).

You will need to open UDP 1604 and TCP 1494 inbound to the server, plus
udp/tcp gt then 1023 outbound from the servers to whoever.

Note that while you can change that TCP 1494 port to whatever, that one
isn't a big deal because its static. Its the actual data port which'll
create problems.

What you can do is use a VPN, and make the customers a client within that,
but you will need to discuss it with there IS department first.

BTW, if you contact me off-list, I can point you to some pretty useful
citrix resources.

--
Henry Sieff

Next message: Philip J. Koenig: "Re: Recent Attacks"
Previous message: Michael B. Rash: "Re: Automated IDS response"
Maybe in reply to: SF BA: "Citrix ICA through port 80?"
Next in thread: Lance Spitzner: "Re: Citrix ICA through port 80?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:24 PDT