RE: Citrix ICA through port 80?

["Sigler, Karl" <KSigler () nbg com>]

Everything Henry has provided some excellent info, but if I could add a
couple of things.

Even though the connection back to the client is on a random high port, it's
not a separate session, so any firewall worth its salt should be able to
track and allow a connection back. For instance, with Checkpoint FW-1 

The ICAPORT command will change the ica port number from 1494 on the server,
but on the client side you will have to create custom ica connections and
use only the ip address or host name of the Citrix server. This means no
published applications or Program Neighborhood features (unless you use
ALTADDR. see below.). The entry would read something like:

192.168.1.1:80
citrix.mydomain.com:80

assuming you set the port to 80 and, of course, only the Microsoft clients
can use this (DOS, Windows 3.1, and Win32).

There are other ways around this too. If your firewall can do port
translation you can translate port 80 traffic coming to your MetaFrame to
port 1494. Your clients would still point to port 80 using the
"X.X.X.X:port" syntax but your Citrix server remains untouched. You can also
use the ALTADDR command to allow the Master ICA browser to hand the client
not only an alternate address for NAT, but also a different ica port
[ALTADDR /set 192.168.1.1:80] This would allow you to use Program
Neighborhood and Published applications over port 80 (you'd still need
udp/1604 for these features though).

Anyway hope this helps some,

Karl Sigler
Help Desk Manager
NBG, Atlanta
www.nbg.com
ksigler () nbg com

-----Original Message-----
From: Henry Sieff [mailto:hsieff () orthodon com]
Sent: Sunday, February 13, 2000 2:10 PM
To: 'SF BA'; firewall-wizards () nfr net
Subject: RE: Citrix ICA through port 80?




> -----Original Message-----
> From: SF BA [mailto:sfba121 () yahoo com]
> Sent: Thursday, February 10, 2000 7:25 PM
> To: firewall-wizards () nfr net
> Subject: Citrix ICA through port 80?
>
>
> I know that some of you will consider this a bad thing
> ... that aside, I still need to figure out my options.
>
> We have a demo that runs on Windows Terminal Server
> and Citrix MetaFrame.  Some of our potential customers
> have firewalls setup that block their users from going
> out on unknown ports (if they don't have Citrix
> installed already, then they'll block the ports that
> ICA uses).
>
> I was wondering ... is there a way to set things up so
> that people can connect to our terminal server without
> having to involve their IS departments?  Tunneling
> over http on port 80, perhaps?

Here's the deal with ICA.
Client browses ICA master browser for app: UDP 1604
Client establishes connection with server on which app resides: TCP 1494(by
default)
Client requests communication back on randomly (sort of) chosen High Port
(TCP/UDP gt than 1023).

Now, you can change the port use that #2 uses using the icaport command to
whatever you want. (note that even if your app is embedded in a web page,
these ports still need to be open to the TS.)

The problem, for you and the customers IS department is:
They'll need to open up UDP 1604 and TCP 1494(by default) outbound and
tcp/udp gt then 1023 inbound to the users hosts who will be accessing these
apps. (note that since the client actually initiates this connection as
well, you may not have a problem if they allow any established, I think. I'd
need to check that).

You will need to open UDP 1604 and TCP 1494 inbound to the server, plus
udp/tcp gt then 1023 outbound from the servers to whoever.

Note that while you can change that TCP 1494 port to whatever, that one
isn't a big deal because its static. Its the actual data port which'll
create problems.

What you can do is use a VPN, and make the customers a client within that,
but you will need to discuss it with there IS department first.

BTW, if you contact me off-list, I can point you to some pretty useful
citrix resources.

--
Henry Sieff