ICA Browsing Using TCP/IP+HTTP and XMLTCP Port 80
The main problem with using UDP 1604 across a firewall is security. Many firewall administrators balked at the concept of opening a UDP port through their firewall to an internal device. The connectionless nature of UDP makes it a less-secure choice than TCP. Because there is no "connection" established, it is easier for a potential hacker to spoof an IP address and attempt to hack into your Citrix MetaFrame servers. UDP is rarely used by large corporations for external access to important internal services from the Internet.
This problem of security and the need for a more flexible ICA browsing alternative led to Citrix's development of the XML service, on TCP port 80 by default, for ICA browsing. The XML service was first introduced in Feature Release 1 for MetaFrame 1.8 and is now included as part of the default feature set of MetaFrame XP, even without Feature Release 1 for MetaFrame XP.
On the client side, even though the ability to connect using TCP port 80 was available in earlier versions of the ICA client, you should use at least ICA client 6.20. ICA client 6.20 is the first client version that actually defaults to using TCP/IP+HTTP (also referred to as HTTP/HTTPS) to connect to your Citrix MetaFrame servers. This method of browsing is highly recommended over using UDP port 1604 for many reasons, including the following:
FlexibilityAs you will see later in this chapter, the default port of TCP 80 for the XML service can easily be changed. You also have the ability to change the port used during the installation of Feature Release 1 for 1.8 and during the installation of XP.
SecurityBrowsing is now handled by a TCP connection-oriented protocol rather than UDP.
Elimination of broadcastsIn MetaFrame 1.8 and WinFrame, by default when you browse for ICA services you use broadcasts, unless you manually specify server addresses in the Server Location list.
Future supportOver the past several years, Citrix has taken several steps to move away from using UDP for browsing. Using TCP for browsing is significantly more secure, and as you will see in the next section, Citrix MetaFrame now supports SSL encryption over TCP. Although using UDP port 1604 for browsing is still supported for backward compatibility, going forward you should always deploy your solutions using TCP browsing.