Firewall Wizards mailing list archives
RE: Citrix ICA through port 80?
From: Henry Sieff <hsieff () orthodon com>
Date: Sun, 13 Feb 2000 13:10:07 -0600
-----Original Message----- From: SF BA [mailto:sfba121 () yahoo com] Sent: Thursday, February 10, 2000 7:25 PM To: firewall-wizards () nfr net Subject: Citrix ICA through port 80? I know that some of you will consider this a bad thing ... that aside, I still need to figure out my options. We have a demo that runs on Windows Terminal Server and Citrix MetaFrame. Some of our potential customers have firewalls setup that block their users from going out on unknown ports (if they don't have Citrix installed already, then they'll block the ports that ICA uses). I was wondering ... is there a way to set things up so that people can connect to our terminal server without having to involve their IS departments? Tunneling over http on port 80, perhaps?
Here's the deal with ICA. Client browses ICA master browser for app: UDP 1604 Client establishes connection with server on which app resides: TCP 1494(by default) Client requests communication back on randomly (sort of) chosen High Port (TCP/UDP gt than 1023). Now, you can change the port use that #2 uses using the icaport command to whatever you want. (note that even if your app is embedded in a web page, these ports still need to be open to the TS.) The problem, for you and the customers IS department is: They'll need to open up UDP 1604 and TCP 1494(by default) outbound and tcp/udp gt then 1023 inbound to the users hosts who will be accessing these apps. (note that since the client actually initiates this connection as well, you may not have a problem if they allow any established, I think. I'd need to check that). You will need to open UDP 1604 and TCP 1494 inbound to the server, plus udp/tcp gt then 1023 outbound from the servers to whoever. Note that while you can change that TCP 1494 port to whatever, that one isn't a big deal because its static. Its the actual data port which'll create problems. What you can do is use a VPN, and make the customers a client within that, but you will need to discuss it with there IS department first. BTW, if you contact me off-list, I can point you to some pretty useful citrix resources. -- Henry Sieff
Current thread:
- Citrix ICA through port 80? SF BA (Feb 11)
- Re: Citrix ICA through port 80? Ivan Fox (Feb 12)
- Re: Citrix ICA through port 80? Crispin Cowan (Feb 14)
- Re: Citrix ICA through port 80? Lance Spitzner (Feb 15)
- Re: Citrix ICA through port 80? Crispin Cowan (Feb 14)
- Re: Citrix ICA through port 80? Mikael Olsson (Feb 12)
- <Possible follow-ups>
- RE: Citrix ICA through port 80? Troy Henley (Feb 12)
- Re: Citrix ICA through port 80? fgb (Feb 12)
- RE: Citrix ICA through port 80? Henry Sieff (Feb 14)
- RE: Citrix ICA through port 80? Bill Stout (Feb 15)
- RE: Citrix ICA through port 80? Sigler, Karl (Feb 15)
- Re: Citrix ICA through port 80? TC Wolsey (Feb 16)
- Re: Citrix ICA through port 80? Ivan Fox (Feb 12)