------------------

That's a first! I have never seen it where the ICA client works on a SecureNAT client. Always had to install the FW client in order for it to work. I'd love to know how your setup is configured.

As far as the connectivity is concerned, how are you tring to connect: Server connection, published application, ICA web page, NFUSE??? Also, what version of the server are you connecting to?

Typically, in order to make a standard server connection, you need to open port 1494 outbound. If you are using a published app, then you need to allow the ICA browsing services through. There are two ways to do this depending on how the Citrix server is configured.

Give me some details, and we'll try and figure it out.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA

This is not a terminal we run. We have a private network here and are trying to access it with MS ISA in place however we have to disable Firewall Client to do so. So, there must be a protocol or port that we are either missing or do not have setup properly. 1494 and ICA browsing I do believe are enabled. I will double check. I am not familiar with MS ISA at all. It's more so like getting our feet wet with it. Let me know if you need more info and a detailed description of what info you need.

Thanks, :-)

The most common problem for this error is imporper gateway on the Citrix box. Change the default gateway on Citrix to point to the internal nic on your ISA box. If 2000, I recommend adding a persistent route.

Hope this helps....

Looks like your connecting to an ICA web page. Unfortunately, from looking at the ICA file on the Metaframe server, they are making you use UDP for ICA browsing. TO explain, for normal ICA connections, you use TCP port 1494 in order to connect to a Citrix Server. However, in order to connect to a published application (like through an ICA file), you need to use the Citrix ICA browser service. BAsically you contact the browser, and it will return a list of applications. There are two ways to setup the Citrix server. The first is to use the older, less secure UDP browsing. This requires you to open UDP port 1604 on your ISA server, as well as other higher ports (i'm not sure which ones because I have never used the UDP method - Check Citrix web site). The better way is to use the new ICA Browsing over TCP (TCPIP+HTTP). This is what my second article discusses.

It still doesnt' explain how the SecureNAT client connects, but the Firewall client does not. Are you sure that the SecureNAT client is not accessing the INternet via another path??? (thus bypasssing the ISA server totally?)

Try and give me some details of your ISa server, and i'll see if I can spot anything.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA

quote:

---

Originally posted by jgrabiec:
RIZ,

Looks like your connecting to an ICA web page. Unfortunately, from looking at the ICA file on the Metaframe server, they are making you use UDP for ICA browsing. TO explain, for normal ICA connections, you use TCP port 1494 in order to connect to a Citrix Server. However, in order to connect to a published application (like through an ICA file), you need to use the Citrix ICA browser service. BAsically you contact the browser, and it will return a list of applications. There are two ways to setup the Citrix server. The first is to use the older, less secure UDP browsing. This requires you to open UDP port 1604 on your ISA server, as well as other higher ports (i'm not sure which ones because I have never used the UDP method - Check Citrix web site). The better way is to use the new ICA Browsing over TCP (TCPIP+HTTP). This is what my second article discusses.

It still doesnt' explain how the SecureNAT client connects, but the Firewall client does not. Are you sure that the SecureNAT client is not accessing the INternet via another path??? (thus bypasssing the ISA server totally?)

Try and give me some details of your ISa server, and i'll see if I can spot anything.

---

I appreciate your help.

>>>Ok I understand the UDP part however, the >>>ICA file is returning with an IP Address >>>thus leaving me to believe we shouldn't >>>be needing to use ICA Browsing. If the >>>ICA file showed a server name then I >>>could understand why UDP would play a >>>roll here.

Unfortunately that's not the case. In order to access any published application, any application set, or any web based ICA file, you need to be able to contact the Master ICA Browser for the "Citrix Network" This machine will return al list of available published applications.

So... you will need to allow the UDP Browse traffic through your ISA server (or get them to change to using TCPIP+HTTP for Browsing.

Later, when I have a little more time, I will show how to connect with the standard client to test the browsing as I am describing.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA