• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

HTTPFilter causing problems with Citrix ICA traffic

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> HTTPFilter causing problems with Citrix ICA traffic Page: [1]
Login
Message << Older Topic   Newer Topic >>
HTTPFilter causing problems with Citrix ICA traffic - 4.Oct.2005 7:35:00 AM   
jamie_greaves

 

Posts: 1
Joined: 30.Sep.2005
From: UK
Status: offline
Some of our internal users need to get access out through our ISA box to an externally hosted citrix/nfuse site.

They can connect fine to the NFuse website (via a standard web access rule), but whenever they try to launch a citrix application from the site it fails. The standard port used by citrix ICA traffic is 1494 but, in their ultimate wisdom, the providers of this particular citrix service have decided to run their ICA traffic over port 80 instead (allegedly to make it easy for firewall admins!)

However, it seems that with HTTP filtering enabled (even with no methods/extensions/headers or signatures configured) it's intercepting the ICA traffic on port 80, assuming it's http traffic, which then somehow causes a problem with the ICA traffic and is preventing it from getting through correctly.

It's definitely the httpfilter, as when I disable it ICA traffic works fine.

I've tried creating a separate access rule using custom protocol definitions (for TCP port 80 outbound) that specifically picks up port 80 ICA traffic bound for the servers in question - in the hope that it will match that rule and not have the http filtering applied, but had no luck with that.

It would seem that if the http filter is enabled for any rule then all port 80 traffic gets passed through it, regardless of whether another specific access rule doesn't use it. I suppose that makes sense really, but it would appear to be malforming the non-http traffic on its way through.

Incidentally, you can telnet citrix servers on port 1494 and have the words ICA echoed back to you repeatedly. This works fine for connections through ISA to port 1494, but if i telnet to these specific citrix boxes that are configured to use port 80 instead I get back an ISA "http/1.1 400 Bad Request (The data is invalid.)" message ...which is what's leading me to believe the http filter is still intercepting the traffic.

Just wondered if:

a) anyone else had come across any similar issues with http filtering?

or

b) anyone has any suggestions about other things I can try, or let me know if I might be doing something wrong!

I've currently got http filtering disabled to allow the citrix stuff to work, but this isn't ideal as there's some things I'd like it to be filtering.

Thanks to anyone in advance!

Jamie
Post #: 1
RE: HTTPFilter causing problems with Citrix ICA traffic - 4.Nov.2005 4:16:00 PM   
Guest
I have the exact same problem - only its on ISA server 2000. Does ISA 2000 have HTTP filtering as in ISA 2004? I dont know if it helps me to disable the HTTP Redirector Filter.

I found this on Citrix.com, a document that discusses ICA client traffic and proxy usage. In the beginning it states:

quote:
A forward web proxy service cannot be used for ICA or ICA/SSL traffic because it is designed
specifically to handle HTTP requests.

I cant figure out if that means that it cannot be done, or that you have to specify another configuration for the ICA client. I am using ICA 7.1 and have tried as Secure NAT client and Web proxy / firewall client - same result. If i create a packet filter on the ISA, install the ICA client it works right away. Maybe you can make some more out of the document then i can.

(in reply to jamie_greaves)
  Post #: 2
RE: HTTPFilter causing problems with Citrix ICA traffic - 3.May2006 3:48:24 PM   
balbert99

 

Posts: 8
Joined: 3.May2006
Status: offline
I'm having similar problems. Have you found any solution?

We moved from ISA 2000 to ISA 2004 this past weekend.  I can get to the Citrix web page, but error out when trying to open a app.  When I look at the ISA logs, I can see entries for the ICA protocol on port 1494 attempting to go to the external address set in ISA. It "Initiating Connection" and an imetiate "Closed Connection".  At this point, we have the ISA access rule for Citrix set to any ICA protocol from any network is allowed to go to any network.

(in reply to Guest)
Post #: 3
RE: HTTPFilter causing problems with Citrix ICA traffic - 4.Jan.2007 3:56:36 AM   
mlythaby

 

Posts: 36
Joined: 27.Apr.2004
Status: offline
Hello

I have the same issue.  External ICA using port 80.
Again disabling the http filter solves the problem.

Help Anybody.

(in reply to balbert99)
Post #: 4
RE: HTTPFilter causing problems with Citrix ICA traffic - 4.Jan.2007 8:48:26 AM   
mlythaby

 

Posts: 36
Joined: 27.Apr.2004
Status: offline
I think I have resolved this.

The Connection settings in IE - LAN Settings need to have Automatically Detect Settings and Use Automatic Configuration Script ticked.
The proxy server also needs to be specified.

Then even though were using the Citrix Web Client Citrix Program Neighbourhood needs to be installed.  Go into Custom Settings and Custom Connection Settings - Firewalls and tick Use Web Brower Proxy Settings

I had increased the settings for hhe ISA HTTP filter, Maximum Headers Length, Maximum URL Length and Maximum Query Length but I have now returned them to their default values.

(in reply to mlythaby)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> HTTPFilter causing problems with Citrix ICA traffic Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts