restricting access to ica files

[sleb]

Is there any way to use ica files through a proxy? We have several applications on Winframe ported to the user using the wiframe plug-in or active x control. The problem is that we have several campuses with different domain names and ip adresses. How can we be able to make these ica files available on the net and yet restrict their use to specific domains?<br>
<br>
The fact that a savvy user can also modify the actual ICA file and copy it around is also an issue.<br>
<br>
Any tips?

 

[PK]

Do you currently have your Web Browsers configured to use a Proxy Server? Also it will depend on where these users are located (remote access, local network?) because you can setup the proxy to bypass local addresses if they are on the network and then use the proxy if they are remote or connecting through a Virtual Private Network. You can also restrict access to the web server through particular IP addresses if you like if you only want certain groups or campuses to access a certain application or server. What Web Server are you running? Also, you will have to open the Citrix port on your firewall if you want people to access it from the outside world. It does create a security hole but with careful consideration and authentication it can be done. As far as the file modification issue you need to lock down the directory, permissions, and attributes of your ICA file. Post your answers to these questions and give me a little more information about your environment and I will try and give you a hand.<br>
PK

 

[appwired1]

Have you been able to resolve your ICA security issue. If not, AppWired has a solution that will resolve your security issue. I would be happy to be of assistance to you.

Marc Inderhees
marc.inderhees@appwired.com

 

[Voyager1]

A lot of times the problem going through a firewall or proxy is the use of network address translation, or having the correct ports open. ICA requires TCP Port 1494 for the ICA transport, and UDP Port 1604 for ICA browsing (very important for published apps).

As far as network address translation (NAT) goes, you have to configure the MetaFrame server to recognize the external address. The following was cut and pasted from a Citrix support document:

Returning External Addresses to ICA Clients

Use the Altaddr utility to configure the ICA browser server to return the external IP address to Citrix ICA Clients. The Altaddr utility sets an alternate address for the ICA browser on that machine. The external address for the server is specified as the alternate address. The Citrix ICA Client requests the alternate address when contacting servers inside the firewall. The alternate address must be specified for each server in a server farm.

To set an alternate address for a Citrix server

1. Determine the correct external IP address.

2. At a command prompt, type altaddr /set nnn.nnn.nnn.nnn, where nnn is the alternate IP address determined in Step 1.

3. Reboot.

4. Repeat on each server in a server farm.

To configure a ICA Client to use an alternate address

1. Edit the Appsrv.ini file in the client directory.

2. Find the [TCP/IP] section.

3. Specify 1 for the UseAlternateAddress field. For example:

UseAlternateAddress = 1

4. Save the file.



Hope this all helps... - Bill

&quot;You can get anything you want out of life, if you'll just help enough other people get what they want&quot; - Zig Ziglar

 

[Voyager1]

One other thing - have you looked into NFuse? It's basically &quot;Program Neighborhood for the Web&quot; and it's a free product. Awesome - check it out!

http://www.citrix.com/products/nfuse/default.asp

- Bill

&quot;You can get anything you want out of life, if you'll just help enough other people get what they want&quot; - Zig Ziglar