• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Citrix Server thru ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Citrix Server thru ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Citrix Server thru ISA - 17.Oct.2001 10:40:00 PM   
RIZ

 

Posts: 4
Joined: 17.Oct.2001
Status: offline
From a client Win98 machine I can connect to a citrix server via the internet without ISA Firewall client installed however, as soon as I install and enable Firewall client I get a message saying Citrix Server can not be reached.............etc. When I disable client it works. We have ICA enabled on the ISA Server along with HTTP... however, can not reach or connect to server. What might we be missing here?

------------------

Post #: 1
RE: Citrix Server thru ISA - 18.Oct.2001 3:26:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
RIZ,

That's a first! I have never seen it where the ICA client works on a SecureNAT client. Always had to install the FW client in order for it to work. I'd love to know how your setup is configured.

As far as the connectivity is concerned, how are you tring to connect: Server connection, published application, ICA web page, NFUSE??? Also, what version of the server are you connecting to?

Typically, in order to make a standard server connection, you need to open port 1494 outbound. If you are using a published app, then you need to allow the ICA browsing services through. There are two ways to do this depending on how the Citrix server is configured.

Give me some details, and we'll try and figure it out.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to RIZ)
Post #: 2
RE: Citrix Server thru ISA - 18.Oct.2001 3:44:00 PM   
RIZ

 

Posts: 4
Joined: 17.Oct.2001
Status: offline
It is an NT 4.0 Terminal Server and if you'd like to see for yourself click on the Link http://aite.aig.com/ca-prod.html

This is not a terminal we run. We have a private network here and are trying to access it with MS ISA in place however we have to disable Firewall Client to do so. So, there must be a protocol or port that we are either missing or do not have setup properly. 1494 and ICA browsing I do believe are enabled. I will double check. I am not familiar with MS ISA at all. It's more so like getting our feet wet with it. Let me know if you need more info and a detailed description of what info you need.

Thanks, :-)


(in reply to RIZ)
Post #: 3
RE: Citrix Server thru ISA - 22.Oct.2001 1:37:00 AM   
pryingfingers

 

Posts: 1
Joined: 22.Oct.2001
From: Nevada
Status: offline
Hey dude...

The most common problem for this error is imporper gateway on the Citrix box. Change the default gateway on Citrix to point to the internal nic on your ISA box. If 2000, I recommend adding a persistent route.

Hope this helps....


(in reply to RIZ)
Post #: 4
RE: Citrix Server thru ISA - 23.Oct.2001 9:27:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
RIZ,

Looks like your connecting to an ICA web page. Unfortunately, from looking at the ICA file on the Metaframe server, they are making you use UDP for ICA browsing. TO explain, for normal ICA connections, you use TCP port 1494 in order to connect to a Citrix Server. However, in order to connect to a published application (like through an ICA file), you need to use the Citrix ICA browser service. BAsically you contact the browser, and it will return a list of applications. There are two ways to setup the Citrix server. The first is to use the older, less secure UDP browsing. This requires you to open UDP port 1604 on your ISA server, as well as other higher ports (i'm not sure which ones because I have never used the UDP method - Check Citrix web site). The better way is to use the new ICA Browsing over TCP (TCPIP+HTTP). This is what my second article discusses.

It still doesnt' explain how the SecureNAT client connects, but the Firewall client does not. Are you sure that the SecureNAT client is not accessing the INternet via another path??? (thus bypasssing the ISA server totally?)

Try and give me some details of your ISa server, and i'll see if I can spot anything.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to RIZ)
Post #: 5
RE: Citrix Server thru ISA - 23.Oct.2001 10:22:00 PM   
RIZ

 

Posts: 4
Joined: 17.Oct.2001
Status: offline
quote:
Originally posted by jgrabiec:
RIZ,

Looks like your connecting to an ICA web page. Unfortunately, from looking at the ICA file on the Metaframe server, they are making you use UDP for ICA browsing. TO explain, for normal ICA connections, you use TCP port 1494 in order to connect to a Citrix Server. However, in order to connect to a published application (like through an ICA file), you need to use the Citrix ICA browser service. BAsically you contact the browser, and it will return a list of applications. There are two ways to setup the Citrix server. The first is to use the older, less secure UDP browsing. This requires you to open UDP port 1604 on your ISA server, as well as other higher ports (i'm not sure which ones because I have never used the UDP method - Check Citrix web site). The better way is to use the new ICA Browsing over TCP (TCPIP+HTTP). This is what my second article discusses.

It still doesnt' explain how the SecureNAT client connects, but the Firewall client does not. Are you sure that the SecureNAT client is not accessing the INternet via another path??? (thus bypasssing the ISA server totally?)

Try and give me some details of your ISa server, and i'll see if I can spot anything.




Ok I understand the UDP part however, the ICA file is returning with an IP Address thus leaving me to believe we shouldn't be needing to use ICA Browsing. If the ICA file showed a server name then I could understand why UDP would play a roll here. FYI: The ISA is for the most part setup with little know how for I'm getting my feet wet with it. If you could ask a specific question about what I should look for then I might be able to help you out with understanding how it is setup. I could perhaps get some screen shots but, i would need an email address to get them to you.

I appreciate your help.


(in reply to RIZ)
Post #: 6
RE: Citrix Server thru ISA - 30.Oct.2001 10:57:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
Hey RIZ,

>>>Ok I understand the UDP part however, the >>>ICA file is returning with an IP Address >>>thus leaving me to believe we shouldn't >>>be needing to use ICA Browsing. If the >>>ICA file showed a server name then I >>>could understand why UDP would play a >>>roll here.

Unfortunately that's not the case. In order to access any published application, any application set, or any web based ICA file, you need to be able to contact the Master ICA Browser for the "Citrix Network" This machine will return al list of available published applications.

So... you will need to allow the UDP Browse traffic through your ISA server (or get them to change to using TCPIP+HTTP for Browsing.

Later, when I have a little more time, I will show how to connect with the standard client to test the browsing as I am describing.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to RIZ)
Post #: 7
RE: Citrix Server thru ISA - 31.Oct.2001 6:43:00 PM   
RIZ

 

Posts: 4
Joined: 17.Oct.2001
Status: offline
OK I appreciate the help.

(in reply to RIZ)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Citrix Server thru ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts