TheOtherKiwi
MIS
Anyone got anything to share regarding running an external ICA (Citrix) client via VPN (internet) access through Axent firewall?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Citrix ICA VPN Client 1
- Thread starter TheOtherKiwi
- Start date
- Status
- Thread starter
- #3
TheOtherKiwi
MIS
Hmm, it seems that therre is some issue with allowing this connection through an ADSL modem/router. They do not use NAT but rather another form of routing (I think). Our ISP are telling us that we need a Point-to-point circuit as they do not support this over ADSL.
-
1
- #4
Is the router at the client end IPsec compliant according to RFCs? I know that both Linksys and Nexlan are. Check the specs. This may be the case especially if you see the tunnel connect and then there is no traffic that can pass. The device may no be able to pass IP type 50 and 51. A redirected service is probably the best way to do this though.
- Thread starter
- #5
TheOtherKiwi
MIS
Thanks for the tip, I will check out compliance. I also have the following info...does this sound right?
The following is a list of TCP/IP and UDP ports that must be open on firewalls and routers for ICA packets to pass through:
TCP/IP port 1494 (inbound)
UDP port 1604 (inbound and outbound)
Outbound (from the server to the client) ports 1023 and above (a maximum of 65535) for both TCP/IP & UDP
How to set up ICA Browsing with NAT (From the Citrix KB)Configure the Citrix Server and Client for Address Translation Returning External Addresses to ICA Clients
Use the Altaddr utility to configure the ICA browser server to return the external IP address to Citrix ICA Clients. The Altaddr utility sets an alternate address
for the ICA browser on that machine. The external address for the server is specified as the alternate address.
The Citrix ICA Client requests the alternate address when contacting servers inside the firewall. The alternate address must be specified for each server in a server farm.
To set an alternate address for a Citrix server
1. Determine the correct external IP address.
2. At a command prompt, type altaddr /set nnn.nnn.nnn.nnn, where nnn is the alternate IP address determined in Step 1.
3. Reboot.
4. Repeat on each server in a server farm.
To configure a WinFrame ICA Client to use an alternate address
1. Edit the Appsrv.ini file in the client directory.
2. Find the [TCP/IP] section.
3. Specify 1 for the UseAlternateAddress field. For example: UseAlternateAddress = 1
4. Save the file.
The Citrix ICA Client tells the server to send the alternate address specified with the Altaddr utility.
To configure a MetaFrame ICA Client to use an alternate address
1. Open Remote Application Manager
2. Click on the Options Pull Down Menu and select Settings
3. Select the Server Location tab
4. Under Network Protocol choose TCP/IP
5. Under Address List enter the IP address of the server
6. Check the box on the bottom for Use alternate address for firewall connection
The following is a list of TCP/IP and UDP ports that must be open on firewalls and routers for ICA packets to pass through:
TCP/IP port 1494 (inbound)
UDP port 1604 (inbound and outbound)
Outbound (from the server to the client) ports 1023 and above (a maximum of 65535) for both TCP/IP & UDP
How to set up ICA Browsing with NAT (From the Citrix KB)Configure the Citrix Server and Client for Address Translation Returning External Addresses to ICA Clients
Use the Altaddr utility to configure the ICA browser server to return the external IP address to Citrix ICA Clients. The Altaddr utility sets an alternate address
for the ICA browser on that machine. The external address for the server is specified as the alternate address.
The Citrix ICA Client requests the alternate address when contacting servers inside the firewall. The alternate address must be specified for each server in a server farm.
To set an alternate address for a Citrix server
1. Determine the correct external IP address.
2. At a command prompt, type altaddr /set nnn.nnn.nnn.nnn, where nnn is the alternate IP address determined in Step 1.
3. Reboot.
4. Repeat on each server in a server farm.
To configure a WinFrame ICA Client to use an alternate address
1. Edit the Appsrv.ini file in the client directory.
2. Find the [TCP/IP] section.
3. Specify 1 for the UseAlternateAddress field. For example: UseAlternateAddress = 1
4. Save the file.
The Citrix ICA Client tells the server to send the alternate address specified with the Altaddr utility.
To configure a MetaFrame ICA Client to use an alternate address
1. Open Remote Application Manager
2. Click on the Options Pull Down Menu and select Settings
3. Select the Server Location tab
4. Under Network Protocol choose TCP/IP
5. Under Address List enter the IP address of the server
6. Check the box on the bottom for Use alternate address for firewall connection
Guest_imported
New member
- Jan 1, 1970
- 0
Raptor Firewall 6.5.
Detest the RaptorMobile client and wondering if anyone has had any luck with using another, friendlier (MS VPN would be nice) client for connection through the VPN gateway.
Detest the RaptorMobile client and wondering if anyone has had any luck with using another, friendlier (MS VPN would be nice) client for connection through the VPN gateway.
itrix uses ports 1494tcp and 1604udp. Therefore, protocols and gsps must be created for those ports. A rule, containing those gsps, must also be created to permit access from outside to the Citrix server on the protected network. Next, create two redirects for those services pointing to the IP address of the Citrix machine inside- not the web server.
Citrix file
The file mentioned previously, “link”.ica, must reside on the web server, and it is what is used to allow the web server and the citrix server to talk to each other. Below is an example of an ica file before it had been modified.
[WFClient]
Version=2
TcpBrowserAddress=63.82.157.6
[ApplicationServers]
Paris=
[Paris]
Address=Paris
InitialProgram=#Paris
DesiredHRES=640
DesiredVRES=480
DesiredColor=2
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
UseAlternateAddress=1
The tcpbrowser address is the firewall’s outside address. This does not have to be the physical address, it can be a virtual one, but it must be the same address as indicated in the redirect for ports 1494tcp and 1604udp. This particular file, however, is not totally correct. In the middle part of the file, there is a line that reads: “Address=Paris”. Paris is the name of the Citrix server inside. When this file is activated on the web server (when the user tries to browse to the Citrix machine) the tcpbrowser and the address lines are read. The first one is fine because it is the address that the world knows this server by, but when the external client tries to resolve Paris it cannot. In a packet trace from our lab it was found that our client queried a root server to try to resolve paris.ts.raptor.com. Why it associated paris with the ts.raptor.com domain (the source address) is not something we found an answer to, but obviously the try failed. However, when the file was changed so that both of the lines had the 63.82.157.6 address in it, the connection went through as it was supposed to. The correct file below:
[WFClient]
Version=2
TcpBrowserAddress=63.82.157.6
[ApplicationServers]
Paris=
[Paris]
Address=63.82.157.6
InitialProgram=#Paris
DesiredHRES=640
DesiredVRES=480
DesiredColor=2
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
UseAlternateAddress=1
Citrix file
The file mentioned previously, “link”.ica, must reside on the web server, and it is what is used to allow the web server and the citrix server to talk to each other. Below is an example of an ica file before it had been modified.
[WFClient]
Version=2
TcpBrowserAddress=63.82.157.6
[ApplicationServers]
Paris=
[Paris]
Address=Paris
InitialProgram=#Paris
DesiredHRES=640
DesiredVRES=480
DesiredColor=2
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
UseAlternateAddress=1
The tcpbrowser address is the firewall’s outside address. This does not have to be the physical address, it can be a virtual one, but it must be the same address as indicated in the redirect for ports 1494tcp and 1604udp. This particular file, however, is not totally correct. In the middle part of the file, there is a line that reads: “Address=Paris”. Paris is the name of the Citrix server inside. When this file is activated on the web server (when the user tries to browse to the Citrix machine) the tcpbrowser and the address lines are read. The first one is fine because it is the address that the world knows this server by, but when the external client tries to resolve Paris it cannot. In a packet trace from our lab it was found that our client queried a root server to try to resolve paris.ts.raptor.com. Why it associated paris with the ts.raptor.com domain (the source address) is not something we found an answer to, but obviously the try failed. However, when the file was changed so that both of the lines had the 63.82.157.6 address in it, the connection went through as it was supposed to. The correct file below:
[WFClient]
Version=2
TcpBrowserAddress=63.82.157.6
[ApplicationServers]
Paris=
[Paris]
Address=63.82.157.6
InitialProgram=#Paris
DesiredHRES=640
DesiredVRES=480
DesiredColor=2
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
UseAlternateAddress=1
- Status
Similar threads
- Locked
- Question
- Locked
- Question