> -----Original Message----- > From: SF BA [mailto:sfba121at_private] > Sent: Thursday, February 10, 2000 7:25 PM > To: firewall-wizardsat_private > Subject: Citrix ICA through port 80? > > > I know that some of you will consider this a bad thing > ... that aside, I still need to figure out my options. > > We have a demo that runs on Windows Terminal Server > and Citrix MetaFrame. Some of our potential customers > have firewalls setup that block their users from going > out on unknown ports (if they don't have Citrix > installed already, then they'll block the ports that > ICA uses). > > I was wondering ... is there a way to set things up so > that people can connect to our terminal server without > having to involve their IS departments? Tunneling > over http on port 80, perhaps? Here's the deal with ICA. Client browses ICA master browser for app: UDP 1604 Client establishes connection with server on which app resides: TCP 1494(by default) Client requests communication back on randomly (sort of) chosen High Port (TCP/UDP gt than 1023). Now, you can change the port use that #2 uses using the icaport command to whatever you want. (note that even if your app is embedded in a web page, these ports still need to be open to the TS.) The problem, for you and the customers IS department is: They'll need to open up UDP 1604 and TCP 1494(by default) outbound and tcp/udp gt then 1023 inbound to the users hosts who will be accessing these apps. (note that since the client actually initiates this connection as well, you may not have a problem if they allow any established, I think. I'd need to check that). You will need to open UDP 1604 and TCP 1494 inbound to the server, plus udp/tcp gt then 1023 outbound from the servers to whoever. Note that while you can change that TCP 1494 port to whatever, that one isn't a big deal because its static. Its the actual data port which'll create problems. What you can do is use a VPN, and make the customers a client within that, but you will need to discuss it with there IS department first. BTW, if you contact me off-list, I can point you to some pretty useful citrix resources. -- Henry Sieff
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:24 PDT