Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Citrix client behind ISA
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Citrix client behind ISA - 7.Mar.2002 9:24:00 PM
|
|
|
vancek
Posts: 5
Joined: 7.Mar.2002
Status: offline
|
Hello All:
I'm having trouble getting securenat to allow a client on the inside to establish a connection to a citrix server on the outside. I've allowed UDP 1604 inbound and outbound. I've also allowed TCP 1494 inbound and oubound. When I sniff the inside connection, I see the outgoing UDP requests but I don't see the corresponding incoming replies.
The firewall client works...but I would REALLY prefer not to have to load that everywhere.
TIA!
Vance
|
|
|
|
RE: Citrix client behind ISA - 7.Mar.2002 9:40:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Vance,
Check the Learning Zone. There are a couple of articles there that might help.
HTH,
Tom
|
|
|
|
|
RE: Citrix client behind ISA - 7.Mar.2002 10:40:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Vance,
for the ICA protocol itself you'll have to create a protocol definition (if it not already exists) for TCP port 1494 Outbound.
To be able to browse the Metaframe server farm, you'll have to check whith the Citrix administrator which version he is running. The protocol UDP 1604 is the *old* protocol and is *not* designed to work well over WAN and Firewalls. Try to use the XML service if possible. It's called HTTP+TCP. Again, you'll have to check with the Citrix administrator which port he has configured for the XML service. The default XML port is 80, but I believe a lot of people use port 88. If that's the case, create a protocol definition TCP port 88 Outbound for it.
Hope this helps,
Stefaan
|
|
|
|
RE: Citrix client behind ISA - 8.Mar.2002 7:53:00 AM
|
|
|
rhaslam
Posts: 15
Joined: 19.Sep.2001
Status: offline
|
quote:
Originally posted by vancek:
Hello All:
I'm having trouble getting securenat to allow a client on the inside to establish a connection to a citrix server on the outside. I've allowed UDP 1604 inbound and outbound. I've also allowed TCP 1494 inbound and oubound. When I sniff the inside connection, I see the outgoing UDP requests but I don't see the corresponding incoming replies.
The firewall client works...but I would REALLY prefer not to have to load that everywhere.
TIA!
Vance
|
|
|
|
|
RE: Citrix client behind ISA - 8.Mar.2002 7:58:00 AM
|
|
|
rhaslam
Posts: 15
Joined: 19.Sep.2001
Status: offline
|
I had the same problem getting my clients out to connect to a citrix box. But what I did was create protocol definitions. udp outbound port 10000 and udp indound port 500 then I creted a protocol rule that allowed access using the specified protocol definitions. Make sure you have the newest ica client.
|
|
|
|
|
RE: Citrix client behind ISA - 8.Mar.2002 8:11:00 AM
|
|
|
vancek
Posts: 5
Joined: 7.Mar.2002
Status: offline
|
Tom and Stefan,
Thanks for the info...but I still can't figure it out.
All of the articles I've found in the learning zone relate to Citrix boxes Inside the ISA server and how to publish them. In my scenario, the clients are inside and the servers are outside. There is an ICA Protocol definition, but since I'm not publishing a server, I don't know what to do with it.
When I sniff an unfiltered communication between a client and the citrix boxes, they chat back and forth on UDP 1604, then on TCP 1494.
Once I get behind the ISA box, I see the UDP stuff go out repeatedly, but I never get any reply from the Citrix boxes.
Thanks again!
Vance
|
|
|
|
|
RE: Citrix client behind ISA - 8.Mar.2002 8:15:00 AM
|
|
|
vancek
Posts: 5
Joined: 7.Mar.2002
Status: offline
|
Rhaslam -
Thanks. I'll give it a try..but where did you get those ports from? I don't see either of those ports being used when I sniff the traffic...?
Thanks,
Vance
|
|
|
|
|
RE: Citrix client behind ISA - 8.Mar.2002 3:59:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Vance,
Citrix needs two connections in order to work: the 'browsing' connection to determine which application is available on which server and the 'ICA' connection to do the actual work.
First you'll have to find out if the Citrix server farm you are trying to use supports the TCP/IP+HTTP browsing protocol. The browsing protocol on the client is defined in the ICA connection properties (Citrix Program Neighborhood) and you can find a screenshot in http://www.isaserver.org/pages/tutorials/ica_browse.htm. Don't forget that the Citrix Metaframe servers must also support it. I suggest you try this outside of ISA to make sure there are no open issues without ISA.
Second, if the protocol definitions of the two protocols Browsing and ICA doesn't already exists, create them. Next, create a protocol and site&content rule to allow access.
You can easely test the ICA protocol by doing a telnet servername 1494. The Citrix should respond with something like 'ICA...ICA...ICA'.
Hope this helps,
Stefaan
|
|
|
|
|
RE: Citrix client behind ISA - 8.Mar.2002 4:55:00 PM
|
|
|
vancek
Posts: 5
Joined: 7.Mar.2002
Status: offline
|
Stefan,
Aaaaah, the Protocol Definition for UDP 1604 is what was missing. As soon as I added that, it started working like a champ!
Many Thanks!
Vance
|
|
|
|
|
RE: Citrix client behind ISA - 8.Mar.2002 5:01:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Vance,
glad you got it working. But I still suggest to switch to the TCP/IP+HTTP as browsing protocol instead of UDP 1604, if possible.
Thanks,
Stefaan
|
|
|
|
RE: Citrix client behind ISA - 8.Mar.2002 5:05:00 PM
|
|
|
vancek
Posts: 5
Joined: 7.Mar.2002
Status: offline
|
Hi Stefan -
I will pass that along, but since the Citrix farm is run by a national pharmacy, I doubt very seriously they'll listen to me. Especially since there's likely hundreds to thousands of clients that are connecting to that farm...that would potentially need to be reconfigured.
Thanks again,
Vance
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
