PIX and Citrix 1

[ndedham]

Need to poke a hole within my PIX for Citrix users. Any ideas on how to "easily" do this?

 

[yizhar]

HI.

You didn't give enough information in your question. Please be more detailed and specific.

You should know which ports and which IP addresses are involved.
Take a look here:

http://www.cisco.com/warp/public/707/28.html

If you're going to allow access from the Internet to your internal Citrix server(s), then you should carefully plan your security policy, and protect such traffic in several ways, using Citrix built in options, and at the firewall using access-list for specific incoming IP addresses, and/or VPN to protect the traffic, and/or additional authentication.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[PutaforCisco]

You'll need to create a static translation for each Citrix server and then open up 1494 tcp to each server. If connecting to Published Apps or server farms is needed, you'll need to open up 1604 udp for the Citrix Master Browser. You'll also need to use the altaddr command on the Citrix server to have the Master Browser reply with the NAT'd address to resolution requests from the outside instead of the internal address. On the Citrix client, you'll need to modify the client settings for Server Locations by adding the Nat'd address of the Citrix Master Browser and checking "Use Alternate Address".

If you only want to connect to a Citrix server via IP address or DNS hostname, then you only need to open up 1494 tcp on the firewall.

You will find instructions for the client and Citrix server settings at this support link:

http://support.citrix.com/kb/entry!default.jspa?categoryID=122&entryID=1850&fromSearchPage=true