Jeffery, what you list are the proper poets if you are useing the web
browser version of citrix (either the activeX or Java version), what steve
listed are the proper poets if you are useing the full installed version
of citrix.
I have a raptor firewall and proxy 1604 UDP and 1494 TCP from the internet
to the internal citrix server and it works with no problems (for security
I insist on the client doing 128 bit encryption and useing the Defender
challange-response tokens for authentication)
David Lang
On Thu, 31 Aug 2000 [EMAIL PROTECTED] wrote:
> Date: Thu, 31 Aug 2000 09:08:24 -0500
> From: [EMAIL PROTECTED]
> To: Steve Smith <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: Re: Citrix and NAT
>
>
> Steve,
>
> #Hey guys and girls I have a problem I need help on.
>
> #Supposedly you need to open ports 1604 and 1494 for Citrix clients to
> #connect to you. Now, there seems to be some kind of problem with the
> Citrix
> #browser if you use any type of NAT. I am being told that you have to have
> #public IPs on each servers NIC because if you use any type of proxy or NAT
> #than the Citrix master browser won't work. Has anyone had any experience
> #with this. This seems to effect only published apps. PLEASE PLEASE PLEASE
> #help me clear this up.
>
> This is how Citrix MetaFrame works. If you are using WinFrame then I
> think it works mostly the same way. Let's say I want to access Apps that I
> am publishing on my MetaFrame server through a browser.
>
> Setup:
>
> client-----Firewall----webserver----MetaFrame browser---metframe app server
> farm---data
>
> My browser contacts the webserver where I perform authentication through
> Windows NT domain authentication or something more secure like SecurID.
> This is done using SSL on port 443. The web server then contacts the
> MetaFrame master browser using XML and passes it the authentication. The
> master browser passes a .ica back to the webserver using XML. This .ica
> file contains the IP address of the metaframe server that the client is
> suppose to connect too. The browser passes this file back to the client
> using SSL and the connection is closed. The client now initiates a new
> connectin on TCP port 1494 using the ICA protocol directly to the IP
> address specified in the .ica file. You now see the list of apps that you
> are allowed to use. The reason that you cannot do NAT is because NAT
> changes the IP address in the packet header. It does not change the IP
> address in the .ica file. If you are using 10 net IP addresses for you
> MetaFrame servers then the client on the Internet will try to connect to a
> 10 net address.
>
> Do the following to get MetaFrame to work. Allow Internet clients to
> connect to the webserver on port 443 and allow Internet clients to connect
> to the MetaFrame servers on port 1494.
>
> Regards,
> Jeffery Gieser
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
