Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


February 2000

Published ICA Applications


From the February 2000 Edition
of Windows IT Pro
David Carroll
Feature
InstantDoc #7880
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Firewalls Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here

Application proxies are extremely secure. You must have a special proxy rule for each application and protocol. Application proxies perform application-level analysis by examining each packet as it passes through the gateway. A person using FTP to connect to another computer illustrates the application-proxy process. The person uses FTP to connect to the proxy server and connects to the outside world through the proxy server. An application proxy server automates this process.

Proxy servers handle all communications, so they can log everything clients do. For example, an HTTP proxy can show you every URL that you've visited, and an FTP proxy can show you every file you download. These proxies can filter out inappropriate words, sites, and files from the sites you visit and scan for viruses. Application proxies can even authenticate users before permitting an outside connection. To a Web user, every site appears to require a logon. The administrator has complete control over how users use the outside connection. To pass a new protocol such as ICA through a proxy server, you must develop a workaround to get through the firewall.

A SOCKS proxy server is similar to a telephone switchboard. The server is the software equivalent of crossing wires to complete a connection through the system to another outside connection (i.e., to get past the firewall). Most SOCKS servers work with only TCP-type connections.

You can use the SOCKS service to let a new protocol pass through a proxy server. Many third-party solutions are available for permitting access to a Citrix ICA session through a proxy server (e.g., Aventail Connect 3.01, Hummingbird SOCKS, NEC SocksCap32). Educational Technology recently developed Surrogate Socket, a Microsoft Proxy Server plugin that lets the proxy server support ICA and RDP connections without enabling IP forwarding. Sun-Netscape Alliance's remote-access software lets a network authenticate users and grant defined access (i.e., based on predefined rules) to enterprise applications and data. Authorized users can access predefined applications through a Java-enabled Web browser.

On August 23, 1999, Citrix announced that it's strengthening the ICA protocol's security with support for SOCKS 5.0 and 4.0. If you install the latest MetaFrame release candidate for Windows 2000 (Win2K), when you set up a client session on the new client, the wizard will ask whether you'd like to use SOCKS to connect through a firewall.

Editing the ICA File for NAT
You can use Network Address Translation (NAT) to minimize the security risk of opening a port on a firewall. NAT readdresses traffic so that outgoing traffic appears to originate from the firewall rather than the internal host. Unlike proxy gateways, NAT gateways operate within the routing layer and are faster than their proxy counterparts. The network can use external routable Internet addresses for the router and internal unroutable intranet addresses for inside the firewall. You can then use NAT to translate the external address to an internal address according to a port number. For example, as Figure 1, page 132, shows, an Internet client that attempts to use NAT to connect to a Web server behind the router connects to 207.92.5.3:80. Then, the system redirects the client to 192.168.1.2:80. This procedure prevents the outside world from seeing your network directly. (For more about NAT, see Zubair Ahmad, "Windows 2000's Network Address Translation, page 141.)

When an administrator uses the Published Application Manager to create an ICA file, the ICA file will have the private address set as the browser address for a firewall that uses NAT. In Figure 1, for example, the browser address is 192.168.1.3. This procedure works fine for internal connections, but for external connections, you must edit the ICA file so that the file points to the master browser's external IP address. In Listing 1, for example, the edited TcpBrowserAddress reflects the external port.

To use NAT to add a layer of security, the client must also request the master browser's external IP address. By adding the UseAlternateAddress setting (with a value of 1) to the ICA file's WFClient section (as Listing 1 shows), the master browser returns the correct browser address to the client. Without this setting, the client will successfully contact the server, but the server won't send back the correct address.

To register an alternative IP address to your internal servers through the master browser, you use the Altaddr command on the Citrix server. For example, to assign the alternative IP address of 207.92.5.3 to a server, log on to the Citrix server, go to a command prompt, and type

altaddr /set 207.92.5.3

Then, edit the ICA file to point to the external address and use the alternative IP address. Listing 1 shows the edited ICA file. In this method, you need to assign each intranet IP address for a Citrix server a valid external Internet IP address.

Some routers don't let you use multiple external addresses for the same port, or you might not have or want multiple external addresses. Assigning transparent static ports eliminates the need to have one external address for each internal address. Rather than assign your internal servers unique addresses, you assign them a port number with the same external IP address. You need to assign one server to port 1604 so that it becomes the agent for locating the master browser. You can assign the other servers to any available port, as Figure 2 shows.

To assign alternative port numbers, first log on to the Citrix server that you want to designate as the browser. Go to a command prompt, and use the ICAport and Altaddr commands. For example, as Figure 2 shows, the Citrix server at 192.168.1.2 finds the master browser. Type

icaport /port:1604
altaddr /set 207.92.5.3:1604

Then, log on to another Citrix server, and type, for example,

icaport /port:421
altaddr /set 207.92.5.3:421

This method lets you load-balance an application through a firewall without exposing your entire network. You expose only one external address. All ICA connections will use this address to connect to the server farm. To assign the server, the master browser will use the load-balancing parameters you set in the Load Balancing Administrator under the Start menu, MetaFrame Tools. And the client will receive the correct alternative address and port.

Don't Help Intruders
Any access to an external client is an unwanted guest's potential entrance. You need to fully understand how thin-client/server products communicate with the world. If you're introducing your product into a public environment, you must limit your network exposure. History shows that a motivated intruder can break into any system—don't help the intruder by making the break-in easy. By understanding how the ICA protocol works with TCP/IP and setting up the strongest firewall possible, you can limit your network's vulnerability and continue to benefit from the advantages that Citrix adds to the Internet in a thin-client world.

End of Article

   Previous  1  [2]  Next  


Reader Comments
Excellent article! The best coverage of ICA through firewalls that I've seen, with a very helpful suggestion about different ports for the same external address.
didn't mention the problem that you get if you don't want to run UDP through the firewall at all though. That would have been nice.



Chris Bye May 24, 2000

Very good article indeed. Clearly explained and very useful as a reference. Good job.

Jack Raskis May 30, 2000

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement