Everything Henry has provided some excellent info, but if I could add a couple of things. Even though the connection back to the client is on a random high port, it's not a separate session, so any firewall worth its salt should be able to track and allow a connection back. For instance, with Checkpoint FW-1 The ICAPORT command will change the ica port number from 1494 on the server, but on the client side you will have to create custom ica connections and use only the ip address or host name of the Citrix server. This means no published applications or Program Neighborhood features (unless you use ALTADDR. see below.). The entry would read something like: 192.168.1.1:80 citrix.mydomain.com:80 assuming you set the port to 80 and, of course, only the Microsoft clients can use this (DOS, Windows 3.1, and Win32). There are other ways around this too. If your firewall can do port translation you can translate port 80 traffic coming to your MetaFrame to port 1494. Your clients would still point to port 80 using the "X.X.X.X:port" syntax but your Citrix server remains untouched. You can also use the ALTADDR command to allow the Master ICA browser to hand the client not only an alternate address for NAT, but also a different ica port [ALTADDR /set 192.168.1.1:80] This would allow you to use Program Neighborhood and Published applications over port 80 (you'd still need udp/1604 for these features though). Anyway hope this helps some, Karl Sigler Help Desk Manager NBG, Atlanta www.nbg.com ksiglerat_private -----Original Message----- From: Henry Sieff [mailto:hsieffat_private] Sent: Sunday, February 13, 2000 2:10 PM To: 'SF BA'; firewall-wizardsat_private Subject: RE: Citrix ICA through port 80? > -----Original Message----- > From: SF BA [mailto:sfba121at_private] > Sent: Thursday, February 10, 2000 7:25 PM > To: firewall-wizardsat_private > Subject: Citrix ICA through port 80? > > > I know that some of you will consider this a bad thing > ... that aside, I still need to figure out my options. > > We have a demo that runs on Windows Terminal Server > and Citrix MetaFrame. Some of our potential customers > have firewalls setup that block their users from going > out on unknown ports (if they don't have Citrix > installed already, then they'll block the ports that > ICA uses). > > I was wondering ... is there a way to set things up so > that people can connect to our terminal server without > having to involve their IS departments? Tunneling > over http on port 80, perhaps? Here's the deal with ICA. Client browses ICA master browser for app: UDP 1604 Client establishes connection with server on which app resides: TCP 1494(by default) Client requests communication back on randomly (sort of) chosen High Port (TCP/UDP gt than 1023). Now, you can change the port use that #2 uses using the icaport command to whatever you want. (note that even if your app is embedded in a web page, these ports still need to be open to the TS.) The problem, for you and the customers IS department is: They'll need to open up UDP 1604 and TCP 1494(by default) outbound and tcp/udp gt then 1023 inbound to the users hosts who will be accessing these apps. (note that since the client actually initiates this connection as well, you may not have a problem if they allow any established, I think. I'd need to check that). You will need to open UDP 1604 and TCP 1494 inbound to the server, plus udp/tcp gt then 1023 outbound from the servers to whoever. Note that while you can change that TCP 1494 port to whatever, that one isn't a big deal because its static. Its the actual data port which'll create problems. What you can do is use a VPN, and make the customers a client within that, but you will need to discuss it with there IS department first. BTW, if you contact me off-list, I can point you to some pretty useful citrix resources. -- Henry Sieff
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:44 PDT