Re: Citrix ICA - Published apps

["Bruce B. Platt" <bbp () comport com>]

At a client's request, we created and a tcp proxy for port 1494 and a UDP
proxy for fort 1604 on an AltaVista NT FW 98 for their use in 
accessing Citrix Winframe servers.

For those of you unfamiliar with the AltaVista FW, ( It's based on the old
DEC SEAL code) and does it's proxying through purpose built application
proxies, except for odd-ball ones like the one under discussion.  In this
case there is a Generic Proxy capability which can
be used for things other than nntp, http, smtp, ftp, telnet, finger, etc.

We constructed two generic proxies for them, one for TCP and one for UDP.

We were able to browse via these to URL's like:


http://www.citrix.com/demoroom/default.asp

and downloaded and ran any of the demonstrations available there in both MS
IE and Netscape Navigator.

Here's the interesting part:

After examining the packets used in these sessions, the UDP traffic seemed
inconsequential, so we turned off the UDP proxying, to minimize the number
of holes in the FW.  I can't figure how to get the information from our
packet capture SW into a mail message, so I can't give a good
representation of the UDP traffic.

We still were able to download and run the demonstrations with no UDP
traffic through the FW.

We constructed a simple ACL file the critical parts read as follows:

deny unknown inside red net * all-servers;
deny authenticated inside red net * all-servers;

allow unknown inside blue net dbviewstcp relay;
allow unknown inside blue net dbviewstcp red net;

Thus, only outbound connections are allowed.  That is, the response to a
connection initiated from the blue-net will pass through the proxy, but
unrequested connections from the red-net are disallowed.

Next, modifications need to be made to the screend.conf file.  Here are the
entries in a working screend.conf.  Note what's active
and what's been commented out, and not in effect on the FW (this one Unix
based) where Citrix sessions are served:

from interface blue to interface red tcp port 1494 proxy;
#from interface red to interface blue tcp port 1494 proxy;
#
#
#from interface blue to interface red udp port 1604 proxy;
#from interface red to interface blue udp port 1604 proxy;


It would appear to me based on empirical evidence that UDP is not required
for accessing a winframe server application through one type of FW.

I can't speak to your questions of master borwser server and alternate
address configuration since I know little about Citrix products.
(In other words, Huh?)

What I am able to tell you about the UDP traffic is that four UDP packets
were used in a session acecssing the Citrix server via a PC over dial-up
networking.  We did this to inspect the traffic before doing the FW proxy
work.

1. client to server, length 38 octets, 
2. server to client, length 56 octets,
3. client to server, length 63 octets, and
4. server to client, length 70 octets

If anyone _really_ wants the information contained in each packet, I will
type it in by hand.

Regards



->
->Has anyone actually managed to make a Citrix Metaframe server - published
->application actually work through a firewall? If so, would you mind sharing
->a few of details?
->
->We have been able to get access to the Metaframe server directly, but are
->having one hell of a time trying to get access to the published app.
->
->Alternatively, if anyone has any _good_ sources of info regarding the use of
->the UDP/1604 traffic by the ICA clients and/or servers, in conjunction with
->the master browser server, and/or "alternate address" configuration, that
->would be very much appreciated.
->
->
->Just not having any fun on this project...
->
->
->Ken Schultz
->kschultz () msa com
-> 
+--------------------------------------+
Bruce B. Platt, Ph.D.
Comport Consulting Corporation
78 Orchard Street, Ramsey, NJ 07446
Phone: 201-236-0505  Fax: 201-236-1335
bbp () comport com, bruce@ bruce.platt@
OR, bruce () bbplatt com