ISA SERVER – Citrix Metaframe Access

Purpose:

This document will go over the steps necessary to publish a Citrix Metaframe server through the Microsoft ISA server, so that external ICA clients can connect and run ICA sessions on the Metaframe server behind the ISA server.
 

Steps required:

1. 
   
   Create an IP packet filter to allow ICA traffic through the ISA server.
   
   
2. 
   
   Create a new Protocol Definition to publish the Metaframe server.
   
   
3. 
   
   Publish the Citrix Metaframe server.
   
   
4. 
   
   Configure the Citrix Metaframe server to return external address to the ICA clients.
   
   
5. 
   
   Client Configuration
    

Notes: 

1. 
   
   This document assumes that you are using the standard Citrix ICA TCP port number of 1494.
   
   
2. 
   
   This document only covers making TCP ICA client sessions to the Metaframe server.  It does not cover setting up the Metaframe server to allow ICA browsing for published applications.  According to Citrix: “Allowing untrusted access to the ICA Browser service entails some security risk.  Configure the firewall to pass ICA browser data only if load balancing and server browsing across the firewall are essential.”
    

Details:

1.                  Create an IP packet filter to allow ICA traffic through the ISA server. The Citrix ICA client sends a packet to port 1494 on the Citrix server requesting a response to a randomly selected port above 1023.  The Citrix server then responds by sending packets to the ICA client with the destination port set to the port requested.  Create an IP Packet Filter, call it “Allow ICA TCP 1494”.  The filter type should be configured as follows:

For the local Computer tab, you should select “This ISA Server’s external IP Address”, and enter the appropriate address.  For the Remote Computer tab, select “All remote Computers”, unless you know the client addresses that will be accessing via this port.

2.                  Create a new Protocol Definition to publish the Metaframe server.  A new protocol definition will be needed during the publishing of the Citrix server.  Name the definition “Citrix ICA TCP”, and configure the parameters as follows.  You should not have to allow secondary connections as the ISA server should handles this for you. 

3.                  Publish the Citrix Metaframe server.  Use the server-publishing wizard to publish a server named “Metaframe.”  Set the internal as external IP addresses as appropriate, and select the “Citrix ICA TCP” protocol definition created in step 2, for your mapped server protocol.  Apply the rule to any request, unless (again) you have the ability to limit who has access to your server.

4.                  Configure the Citrix Metaframe Server.  On the Citrix server that you wish to access, you must set an alternate address for the ICA sessions.  First you must determine the correct ISA external address (it will be the one that you used in step 3), and then issue the following command from a command prompt on the Citrix server: altaddr /set nnn.nnn.nnn.nnn, where nnn.nnn.nnn.nnn is the alternate address of your ISA server.  This procedure must be repeated on each Citrix server, and the Citrix server must be restarted after the command is issued.

5.                  Client configuration. The Citrix ICA client must then be setup to connect to the server you just published.  For ICA browser access:  on the connection tab of the client configuration, you should set the server location to be the IP address of the external interface of the ISA server.  You must also click the Firewall button, and select the “Use alternate address for firewall connection”

That should do it (at least that is what I did ). 

NOTE:  Standard disclaimer applies.  I’m not responsible for ANYTHING!  I wish you luck, and will help if I can – but that’s it.  Backup your systems, etc. before attempting anything.  Verify security yourself – do not leave it for others!