Some of our internal users need to get access out through our ISA box to an externally hosted citrix/nfuse site.
They can connect fine to the NFuse website (via a standard web access rule), but whenever they try to launch a citrix application from the site it fails. The standard port used by citrix ICA traffic is 1494 but, in their ultimate wisdom, the providers of this particular citrix service have decided to run their ICA traffic over port 80 instead (allegedly to make it easy for firewall admins!)
However, it seems that with HTTP filtering enabled (even with no methods/extensions/headers or signatures configured) it's intercepting the ICA traffic on port 80, assuming it's http traffic, which then somehow causes a problem with the ICA traffic and is preventing it from getting through correctly.
It's definitely the httpfilter, as when I disable it ICA traffic works fine.
I've tried creating a separate access rule using custom protocol definitions (for TCP port 80 outbound) that specifically picks up port 80 ICA traffic bound for the servers in question - in the hope that it will match that rule and not have the http filtering applied, but had no luck with that.
It would seem that if the http filter is enabled for any rule then all port 80 traffic gets passed through it, regardless of whether another specific access rule doesn't use it. I suppose that makes sense really, but it would appear to be malforming the non-http traffic on its way through.
Incidentally, you can telnet citrix servers on port 1494 and have the words ICA echoed back to you repeatedly. This works fine for connections through ISA to port 1494, but if i telnet to these specific citrix boxes that are configured to use port 80 instead I get back an ISA "http/1.1 400 Bad Request (The data is invalid.)" message ...which is what's leading me to believe the http filter is still intercepting the traffic.
Just wondered if:
a) anyone else had come across any similar issues with http filtering?
b) anyone has any suggestions about other things I can try, or let me know if I might be doing something wrong!
I've currently got http filtering disabled to allow the citrix stuff to work, but this isn't ideal as there's some things I'd like it to be filtering.
quote: A forward web proxy service cannot be used for ICA or ICA/SSL traffic because it is designed specifically to handle HTTP requests.
I cant figure out if that means that it cannot be done, or that you have to specify another configuration for the ICA client. I am using ICA 7.1 and have tried as Secure NAT client and Web proxy / firewall client - same result. If i create a packet filter on the ISA, install the ICA client it works right away. Maybe you can make some more out of the document then i can.
I'm having similar problems. Have you found any solution?
We moved from ISA 2000 to ISA 2004 this past weekend. I can get to the Citrix web page, but error out when trying to open a app. When I look at the ISA logs, I can see entries for the ICA protocol on port 1494 attempting to go to the external address set in ISA. It "Initiating Connection" and an imetiate "Closed Connection". At this point, we have the ISA access rule for Citrix set to any ICA protocol from any network is allowed to go to any network.
The Connection settings in IE - LAN Settings need to have Automatically Detect Settings and Use Automatic Configuration Script ticked. The proxy server also needs to be specified.
Then even though were using the Citrix Web Client Citrix Program Neighbourhood needs to be installed. Go into Custom Settings and Custom Connection Settings - Firewalls and tick Use Web Brower Proxy Settings
I had increased the settings for hhe ISA HTTP filter, Maximum Headers Length, Maximum URL Length and Maximum Query Length but I have now returned them to their default values.