RE: Citrix ICA through port 80?

[Bill Stout <Bill.Stout () aristasoft com>]

Nope.  Tell them to dial up from home.

You could publish an html page which has a hyperlink to an ICA file, but
then you fire up port 1494/tcp within or outside the browser anyway.  You
could get restrict all access to port 1494 and use the Secure ICA product
for 40/56/128bit RC5 encryption.  See:
http://www.citrix.com/products/sica/sicawp/start.htm
Also see "Using Firewalls With WinFrame": 
http://www.citrix.com/support/solution/sol00053.htm

Some time ago Citrix bought a company which displays the Windows App GUI
through a Java interpreter, so hope springs eternal.

SCO Taranella could be used to front-end the WTS box to preserve session
state, but it then uses ports 3144/tcp and 5307/tcp (SSL).

Make sure your 'demo' system is isolated and can't talk to anything else,
since once a WTS/Citrix system is on the Internet, it's only a matter of
time until someone 'owns' it.

None of this solves the problem of punching a hole through the remote
firewall.

Bill Stout


> -----Original Message-----
> From: SF BA [mailto:sfba121 () yahoo com]
> Sent: Thursday, February 10, 2000 5:25 PM
> To: firewall-wizards () nfr net
> Subject: Citrix ICA through port 80?
>
>
> I know that some of you will consider this a bad thing
> ... that aside, I still need to figure out my options.
>
> We have a demo that runs on Windows Terminal Server
> and Citrix MetaFrame.  Some of our potential customers
> have firewalls setup that block their users from going
> out on unknown ports (if they don't have Citrix
> installed already, then they'll block the ports that
> ICA uses).
>
> I was wondering ... is there a way to set things up so
> that people can connect to our terminal server without
> having to involve their IS departments?  Tunneling
> over http on port 80, perhaps?
>
> Thanks!
>
>
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com