Citrix ICA Browser Access

Last revision: 06/11/20001
John Grabiec
MCSE, MCP+I, CCNA, CCA
Brandon Associates
 

Purpose:

This document will go over the steps necessary to allow ICA browsing over TCP in order to access published applications, and applications sets, residing on a Citrix Metaframe Server Farm through the Microsoft ISA server. This will only work on systems running Metaframe 1.8 with FR1/SP2 or later, as that is the version where Citrix has added the additional functionality of TCP based ICA browsing. Prior to this release, you could only access a Metaframe Server Farm by utilizing UDP port 1604, and opening up all high ports on the server – which is clearly not recommended.
 

Steps required:

1. Create an IP packet filter to allow ICA browse traffic through the ISA server.
   
2. Create a new Protocol Definition to publish the Metaframe server.
   
3. Publish ALL of the Citrix Metaframe servers.
   
4. Configure the Citrix Metaframe servers.
   
5. Configure the Clients.
    

Notes:

In order to utilize ICA browsing over TCP, an additional port is needed by the Metaframe server. This port defaults to port 80, which will have to be changed on most ISA server installations. I use port 88 for my installs, but you are free to choose any available port for your install. Details of configuring the port on the Metaframe server will be discussed later, but this document will assume port 88 for ICA browse traffic.
 

Details:

1. Create an IP packet filter to allow ICA browse traffic through the ISA server. For our setup, the Citrix ICA client will utilize port 88 on the Citrix server for ICA browse traffic. Create an IP Packet Filter; call it “Allow ICA Browse 88”. The filter type should be configured as follows:
   
   
   
   For the local Computer tab, you should select “Default IP address(es) on the external interface(s)”, unless your farm consists of only a single server. For the Remote Computer tab, select “All remote Computers”, unless you know the client addresses that will be accessing via this port.
   
   
   
2. Create a new Protocol Definition to publish the Metaframe server. A new protocol definition will be needed during the publishing of the Citrix server. Name the definition “Citrix ICA Browse”, and configure the parameters as follows. You should not have to allow secondary connections as the ISA server should handles this for you.
   
   
   
   
   
3. Publish ALL of the Citrix Metaframe servers. Each server that participates in the server must be published to a different external IP address on the ISA server. These addresses should be bound to the same NIC (which is recommended for other reasons), but all must be valid Internet addresses. Also, I have found that each server in the farm must be published to allow standard ICA port 1494 traffic as well as TCP Browse traffic. Now, for each server in the farm, use the server-publishing wizard to publish a server named “Metaframe Browse SERVERNAME.” Set the internal and external IP addresses as appropriate, and select the “Citrix ICA Browse” protocol definition created in step 2, for your mapped server protocol. Again, you must publish each server in the farm, because you do not know which server will handle your application request. Apply the rule to any request, unless (again) you have the ability to limit who has access to your server.
   
   
   
   
   
4. Configure the Citrix Metaframe Servers. Two steps must be performed on each Citrix server that you wish to access.
   
   

   a. You must set an alternate address for the ICA sessions (if you have already set this address while configuring standard ICA port 1494 access, then this step may be skipped). First you must determine the correct ISA external address (it will be the one that you used in step 3), and then issue the following command from a command prompt on each Citrix server: altaddr /set nnn.nnn.nnn.nnn, where nnn.nnn.nnn.nnn is the alternate address for that particular server. Each Citrix server must be restarted after the command is issued (although with Windows 2000, I have not had to restart).

   
   

   b. Reconfigure the Citrix XML port to allow TCP based ICA browsing. Again, we will change the port to port 88.
   

   
   

   
   

   
   

   i. Stop the “Citrix XML Service”. If the machine is running Windows 2000, you must also close the services application.
   

   
   

   ii. Execute the CTXXMLSS /U command to unload the service.
   

   
   

   iii. Execute the CTXXMLSS /R88 command to set the port to 88.
   

   
   

   iv. Restart the “Citrix XML Service”.
   

   
   

   v. The server does NOT have to be restarted.

   
   
5. Client configuration. The Citrix ICA client must then be setup to connect to the server you just published. Before you begin to configure the client, make sure that you are using the latest. The TCP IAC browsing functionality was added after release 6, that that version is the minimum requirement. There are two ways to configure the client. The first is to access the complete application set (which would allow for placing icons on desktops, and using program neighborhood functionality). The second would be to setup a custom connection for a single application. Both are described below.
   
   

   
   

   a. Custom ICA Connection You can either configure the default settings for the client (by select the settings button), or configure each connection individually. This will be determined by your needs. Either way, the configuration is similar. We will assume, that each connection is configured separately
   
   i. Select “Add ICA connection.”
   ii. For the type of connection, select “Wide Area Network.”
   iii. Next, change the network protocol to “TCP/IP + HTTP”, and then click on iv. “Server Location” (see below).
   
   
   
   iv. The “Locate Server or Published Application” dialog box will appear.
   
   

   
   
   
   
   1. Uncheck the “Use Default” box.
      
   2. Change the Network Protocol to “TCP/IP + HTTP”
      
   3. Click “Add” to add a server location. You must enter the external address of the ISA here, using port 88. You should do this for each server in the farm.
      
   4. Next click the “Firewalls…” button, and “Use alternate address for firewall connection”, and then click OK.
      
   5. Your configuration should resemble below:
      
      
      
      
      
      
   6. Click OK to return to the main connection configuration window.

v. Select either Server or Application, and then select either the server name, or the published application.

vi. Now configure the remainder of the client settings.

b. Find New Application Set.

i. Select “Find New Application Set.”
ii. For the type of connection, select “Wide Area Network.”
iii. Next, you will be prompted for the application set to select. First you must click “Sever Location” to configure the connection. Follow step iv (above) under “Custom ICA Connection” in order to configure your servers.
iv. Once the server locations are configured, you can choose your application set from the pull down list.
v. Configure the remainder of the application set.

That should do it (at least that is what I did ).

NOTE: Standard disclaimer applies. I’m not responsible for ANYTHING! I wish you luck, and will help if I can – but that’s it. Backup your systems, etc. before attempting anything. Verify security yourself – do not leave it for others!