Providing Access to Citrix MetaFrame Through a Firewall

• By Ted Harwood
• May 1, 2002
• Article is provided courtesy of Addison Wesley

From the author of
Inside Citrix® MetaFrame XP™: A System Administrator's Guide to Citrix MetaFrame XP/1.8™ and Windows® Terminal Services, 2nd Edition

Although Terminal Server just uses port 3389 for all communication, MetaFrame's more advanced feature set requires the use of multiple TCP/IP ports for it to work through a firewall. As an administrator, you need to thoroughly understand what these ports are, why they are necessary, and when they are used to set up the firewall security properly. In the following sections, you will learn the details of all the ports used by Citrix MetaFrame 1.8 and XP.

ICA Client Connections—TCP Port 1494

Note that the ICA protocol, which is the protocol used by Citrix MetaFrame, normally uses two TCP/IP ports for client-to-server communication. The first port is used for most standard ICA client-to-MetaFrame server communications, such as screen updates, printing, and mouse movements. This port is TCP port number 1494 and is referred to as the ICA traffic port in this article.

The second port is used by the ICA client to browse the network for ICA services, such as published applications, Citrix MetaFrame servers, and Citrix MetaFrame farms. This port is normally either UDP port 1604 or TCP port 80, depending on whether you set up the client for either TCP/IP or TCP/IP+HTTP communications respectively. It will be referred to as the ICA browsing port in this article.

When a client wants to connect to a particular Citrix MetaFrame server, after it knows the server's IP address, it will address the server on port 1494. The server will respond to the client on 1494 and assign it a port number in the "high port" range (1023-65534) for further communication. Each client that attaches to a single server is assigned a different "high port" number after the initial connection establishment. In this way, the Citrix MetaFrame server can differentiate between which clients it is conversing with, because each client continues communication with the Citrix MetaFrame server using a different source "high port" number, but the destination port number will remain at 1494 throughout the conversation.

Depending on your firewall, you might have to manually open up this "high port" range to your Citrix MetaFrame server, in addition to the standard TCP 1494 connection port for your ICA clients to be able to communicate with the Citrix MetaFrame server.