Firewall Wizards mailing list archives
Re: Citrix ICA - Published apps
From: "Bruce B. Platt" <bbp () comport com>
Date: Thu, 15 Apr 1999 15:45:12 -0400
At a client's request, we created and a tcp proxy for port 1494 and a UDP proxy for fort 1604 on an AltaVista NT FW 98 for their use in accessing Citrix Winframe servers. For those of you unfamiliar with the AltaVista FW, ( It's based on the old DEC SEAL code) and does it's proxying through purpose built application proxies, except for odd-ball ones like the one under discussion. In this case there is a Generic Proxy capability which can be used for things other than nntp, http, smtp, ftp, telnet, finger, etc. We constructed two generic proxies for them, one for TCP and one for UDP. We were able to browse via these to URL's like: http://www.citrix.com/demoroom/default.asp and downloaded and ran any of the demonstrations available there in both MS IE and Netscape Navigator. Here's the interesting part: After examining the packets used in these sessions, the UDP traffic seemed inconsequential, so we turned off the UDP proxying, to minimize the number of holes in the FW. I can't figure how to get the information from our packet capture SW into a mail message, so I can't give a good representation of the UDP traffic. We still were able to download and run the demonstrations with no UDP traffic through the FW. We constructed a simple ACL file the critical parts read as follows: deny unknown inside red net * all-servers; deny authenticated inside red net * all-servers; allow unknown inside blue net dbviewstcp relay; allow unknown inside blue net dbviewstcp red net; Thus, only outbound connections are allowed. That is, the response to a connection initiated from the blue-net will pass through the proxy, but unrequested connections from the red-net are disallowed. Next, modifications need to be made to the screend.conf file. Here are the entries in a working screend.conf. Note what's active and what's been commented out, and not in effect on the FW (this one Unix based) where Citrix sessions are served: from interface blue to interface red tcp port 1494 proxy; #from interface red to interface blue tcp port 1494 proxy; # # #from interface blue to interface red udp port 1604 proxy; #from interface red to interface blue udp port 1604 proxy; It would appear to me based on empirical evidence that UDP is not required for accessing a winframe server application through one type of FW. I can't speak to your questions of master borwser server and alternate address configuration since I know little about Citrix products. (In other words, Huh?) What I am able to tell you about the UDP traffic is that four UDP packets were used in a session acecssing the Citrix server via a PC over dial-up networking. We did this to inspect the traffic before doing the FW proxy work. 1. client to server, length 38 octets, 2. server to client, length 56 octets, 3. client to server, length 63 octets, and 4. server to client, length 70 octets If anyone _really_ wants the information contained in each packet, I will type it in by hand. Regards -> ->Has anyone actually managed to make a Citrix Metaframe server - published ->application actually work through a firewall? If so, would you mind sharing ->a few of details? -> ->We have been able to get access to the Metaframe server directly, but are ->having one hell of a time trying to get access to the published app. -> ->Alternatively, if anyone has any _good_ sources of info regarding the use of ->the UDP/1604 traffic by the ICA clients and/or servers, in conjunction with ->the master browser server, and/or "alternate address" configuration, that ->would be very much appreciated. -> -> ->Just not having any fun on this project... -> -> ->Ken Schultz ->kschultz () msa com -> +--------------------------------------+ Bruce B. Platt, Ph.D. Comport Consulting Corporation 78 Orchard Street, Ramsey, NJ 07446 Phone: 201-236-0505 Fax: 201-236-1335 bbp () comport com, bruce@ bruce.platt@ OR, bruce () bbplatt com
Current thread:
- Citrix ICA - Published apps Schultz, Ken (Apr 15)
- Re: Citrix ICA - Published apps Chris Brenton (Apr 15)
- Re: Citrix ICA - Published apps Mailing Lists (Apr 15)
- Re: Citrix ICA - Published apps Bruce B. Platt (Apr 15)
- <Possible follow-ups>
- Re: Citrix ICA - Published apps Mailing Lists (Apr 15)
- Re: Citrix ICA - Published apps Chris Brenton (Apr 15)
- Re: Citrix ICA - Published apps Jonathan Feldman (Apr 15)
- RE: Citrix ICA - Published apps Doug Sink (Apr 18)
- Re: Citrix ICA - Published apps Chris Brenton (Apr 18)
- Re: Citrix ICA - Published apps Chris Brenton (Apr 15)