Home > Articles > Home & Office Computing > Microsoft Windows Desktop

Providing Access to Citrix MetaFrame Through a Firewall

  • Print
  • + Share This
  • 💬 Discuss
In this article, Ted Harwood teaches you how access to your Citrix MetaFrame server farm works from a network level. You will need this understanding if you want to setup access to your Citrix MetaFrame server farm through a firewall. This is a relatively advanced article for readers who are already familiar with the basic concepts of TCP/IP communication through a firewall.

Although Terminal Server just uses port 3389 for all communication, MetaFrame's more advanced feature set requires the use of multiple TCP/IP ports for it to work through a firewall. As an administrator, you need to thoroughly understand what these ports are, why they are necessary, and when they are used to set up the firewall security properly. In the following sections, you will learn the details of all the ports used by Citrix MetaFrame 1.8 and XP.

ICA Client Connections—TCP Port 1494

Note that the ICA protocol, which is the protocol used by Citrix MetaFrame, normally uses two TCP/IP ports for client-to-server communication. The first port is used for most standard ICA client-to-MetaFrame server communications, such as screen updates, printing, and mouse movements. This port is TCP port number 1494 and is referred to as the ICA traffic port in this article.

The second port is used by the ICA client to browse the network for ICA services, such as published applications, Citrix MetaFrame servers, and Citrix MetaFrame farms. This port is normally either UDP port 1604 or TCP port 80, depending on whether you set up the client for either TCP/IP or TCP/IP+HTTP communications respectively. It will be referred to as the ICA browsing port in this article.

When a client wants to connect to a particular Citrix MetaFrame server, after it knows the server's IP address, it will address the server on port 1494. The server will respond to the client on 1494 and assign it a port number in the "high port" range (1023-65534) for further communication. Each client that attaches to a single server is assigned a different "high port" number after the initial connection establishment. In this way, the Citrix MetaFrame server can differentiate between which clients it is conversing with, because each client continues communication with the Citrix MetaFrame server using a different source "high port" number, but the destination port number will remain at 1494 throughout the conversation.

Depending on your firewall, you might have to manually open up this "high port" range to your Citrix MetaFrame server, in addition to the standard TCP 1494 connection port for your ICA clients to be able to communicate with the Citrix MetaFrame server.

  • + Share This
  • 🔖 Save To Your Account

Discussions

comments powered by Disqus