If anyone (Tom?) wouldn't mind popping over to http://www.isaserver.org/ubb/Forum3/HTML/000668.html and seeing if they could give me an idea/solution/tip on my problem I would greatly appreciate it.

Thanks!

------------------
-Billy

just a quick recap: Billy needs to access a Citrix server via a web page setup by another party. We have verified that the server setup is correct. If he uses an external client, everything works fine. If he goes inside his ISA server this is what he gets:

1. Using Firewall client: Works perfectly.
2. Using SNAT: Doesn't work at all.

Of course, he needs SNAT access.

This looks like a client issue to me, but it's way out of my ISA league. We were hoping you could shed some light on the differences between the clients.

TIA,

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA

The primary difference between the SecureNAT and the Firewall client is that the SecureNAT client requires an Application Filter to support back channels for complex protocols. For example, for FTP clients using standard mode, the FTP server needs to establish a new inbound connection to the ISA Server. SecureNAT will barf on this if the FTP Access Application Filter is not enabled, but the Firewall client won't have problems.

Do you know what protocols are in use and in what directions?

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

What you said about the application filter makes sense, now that you said it and I begin to understand how it works. Oh, and I will visiting the bookstore today to pickup your book. If it's helpfulness is anything like this board, and I totally expect it to be, then it will be money well spent. </suckingupoff>

Okay, I don't know if this helps, but here is a copy of a "solution" document AMS (program vendor) provided us. I was going to list exactly what I have done in ISA, but it looks like pcAnywhere has died on my ISA machine, so I can't get in. Damn. Oh, here is that document:

quote:

---

PROBLEM:
AFW ONLINE: Server Browser Error:... trying to Login to AfW Online

SUMMARY:
AFW ONLINE: Cannot connect to AfW Online server

AMS PRODUCT:
AfW Online

INFORMATION:
When the user clicks on Login to AfW Online, they receive the error:

"Server Browser Error: Either network is not functional or you must
configure address under server location."

The agency may have an internal firewall for their network that is blocking the
Citrix ICA Client packets.

CONFIGURATION:
Microsoft Internet Explorer v4.01 or higher is required.

PROCEDURE:
Per the Citrix document, "Ports Required to be Open for Connectivity
Through Firewalls and Routers", if an internal firewall (or proxy server)
exists, the following list of TCP/IP and UDP ports must be opened on the
firewall and routers for ICA packets to pass through:
* TCP/IP port 1494 (inbound)
* UDP port 1604 (inbound and outbound)
* Outbound (from the server to the client) ports 1023 and above (a maximum
of 65535) for both TCP/IP & UDP.

WARNING: AMS does not recommend setting up direct access to the AfW Online IP
address since it is subject to change without notification.

ADDITIONAL INFORMATION:
The above information was published on the Citrix website. For additional
information, refer to the Citrix website at www.citrix.com. Navigate to the
Support site and search the Knowledge base using the word "firewall".

WORKAROUNDS:
None. As long as the Citrix ICA client is being used, these ports are required
to be opened.

---

As usual...thanks for any help!

------------------
-Billy

From those protocol definitions, it sounds like you might need to create the primary inbound TCP connection and use the dynamic range for a secondary connection.

Otherwise, you might need a to create a all open protocol rule to support this application.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

Here's what I have done...and it may be overkill, but at this point I figured I could add to too much and delete what I didn't need later.

I created the following protocol definitions:

code:

---

Name  Port Type Direction
=========================================
AFW Online 1494 TCP Inbound
   Seconds{ 1023-65535TCP Inbound
 1023-65535TCP Outbound
 1023-65535UDP Send
 1023-65535UDP Receive
 1023-65535UDP Send-Receive
 1023-65535UDP Receive-Send
   }
AFW Online 2 1494 TCP Outbound
   Seconds{ 1023-65535TCP Inbound
 1023-65535TCP Outbound
 1023-65535UDP Send
 1023-65535UDP Receive
 1023-65535UDP Send-Receive
 1023-65535UDP Receive-Send
   }
AFW Online 3 1604 UDP Receive
   Seconds{ 1023-65535TCP Inbound
 1023-65535TCP Outbound
 1023-65535UDP Send
 1023-65535UDP Receive
 1023-65535UDP Send-Receive
 1023-65535UDP Receive-Send
   }
AFW Online 4 1604 UDP Send
   Seconds{ 1023-65535TCP Inbound
 1023-65535TCP Outbound
 1023-65535UDP Send
 1023-65535UDP Receive
 1023-65535UDP Send-Receive
 1023-65535UDP Receive-Send
   }
AFW Online 5 1604 UDP Send Receive
   Seconds{ 1023-65535TCP Inbound
 1023-65535TCP Outbound
 1023-65535UDP Send
 1023-65535UDP Receive
 1023-65535UDP Send-Receive
 1023-65535UDP Receive-Send
   }
AFW Online 6 1604 UDP Receive Send
   Seconds{ 1023-65535TCP Inbound
 1023-65535TCP Outbound
 1023-65535UDP Send
 1023-65535UDP Receive
 1023-65535UDP Send-Receive
 1023-65535UDP Receive-Send
   }

---

I then created a Protocol Rule:

code:

---

Name:    AFW Online
Scope:    Array
Action:    Allow
Protocol:  AFW Online 1, AFW Online 2, AFW Online 3, AFW Online 4, AFW Online 5, AFW Online 6
Applies:   Client Set: Billy //this is my computer, I did it this
                             //way in an attempt to not jack up the
                             //rest of the network
Schedule:  Always

---

Now...it still doesn't work. I am going to attempt to try to open all ports.

Fun fun fun!

------------------
-Billy

[This message has been edited by bpinson (edited 01 August 2001).]

Looking at this again, I think this one is going to nail you:

* Outbound (from the server to the client) ports 1023 and above (a maximum
of 65535) for both TCP/IP & UDP.

Talk about a lousy protocol from a security point of view

Did the "all open" using the Firewall client help?

But then again, it looks like John solved this problem. Install the firewall client, and upgrade the clients that don't support it yet

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

I didn't get a chance to try the "all open" yet. We just lost our internet access. Long story short, Covad cut us off, SWBell is taking forever on the T1. Anyway, I have the office (30 People!) back on a ISDN line using a NAT router bypassing the ISA server.

Now, why does a NAT only router work without any other configuration changes. You would think that I could configure the ISA server to act more like this NAT router. Granted, this NAT router is less secure than the ISA server would be, but would this not be possible?

If this makes no sense then I apoligize. I have been going crazy over the past few days trying to get everything fixed, and then when I do, another problem comes up.

------------------
-Billy

quote:

---

Originally posted by tshinder:
Hi Billy,

Looking at this again, I think this one is going to nail you:

* Outbound (from the server to the client) ports 1023 and above (a maximum
of 65535) for both TCP/IP & UDP.

---

I may be reading their directions wrong, but is this not referring to the server running the Citrix software? Such as the server (that AMS runs) must be able to get out on ports 1023-65535. I didn't read it as saying I would need all these ports open.

quote:

---

Talk about a lousy protocol from a security point of view

---

I agree.

quote:

---

But then again, it looks like John solved this problem. Install the firewall client, and upgrade the clients that don't support it yet

---

I would love to do this, but then I lose all the work I already put into controlling peoples activity via the Protocol Rules and Definitions. (I think) Plus, this really seems to undo the ease of use that I have loved ISA server for.

Ugh...one long bad day.

I think I'll go read the new book I just bought...something about Configuring ISA Server 2000, I here it's not bad.
------------------
-Billy

[This message has been edited by bpinson (edited 03 August 2001).]

Tom, you wrote:

"Talk about a lousy protocol from a security point of view"

THa's why Citrix added the additional aboiility of having another TCP port for the ICA browsing, instead of UDP (and opening all those ports).

Unfortunately, Billy doesn't have control over the server side - so I think he's going to be stuck using the firewall client.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA

Billy, sometimes you just can't make the impossible happen. But you can show them that you have the requisite number of new gray hairs to prove that you've made a gallant effort. You are in the SWB territory? We just got a new T1 line in their territory very august.net for only $395/month. Talk about SWEET

John, thanks for all the info about Citrix. This is why you are our point man for the Citrix content in the 2nd edition

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

I guess me and the firewall client will become good friends.

Thanks again!

------------------
-Billy

How's the relationship with the Firewall client been?

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

Once I realized that all my rules I had setup are still followed by the firewall client, and did not have to be changed, I was much happier.

Once the FWC was installed the Citrix connections work perfectly.

Thanks for all you help.

------------------
-Billy

That's a two big fat thumbs up!

Great to hear that things are working!

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!