Minimize the dangers

Many organizations are turning to Windows NT Server 4.0, Terminal Server Edition (WTS) and Citrix MetaFrame to deploy Windows-based applications to their user base. This server-based computing solution lets organizations offer full-featured applications to almost any client—and use very little bandwidth in the process. In fact, some companies prefer to let remote employees and customers access mission-critical applications over an existing Internet connection. Citrix ICA makes this capability possible. ICA is an industry standard for delivering corporate applications across a broad variety of desktop platforms and networks. ICA lets the server separate application logic from the user interface (UI) and send only the application's UI to the client. The application runs completely on the server. Applications you deploy with ICA consume as little as one-tenth of the network bandwidth they typically require—about 10KB to 20KB per user session.

In her Web-exclusive article "Deployment: Getting Applications to the Masses" ( articles/content/7131_01.html), Christa Anderson talks about using MetaFrame and the ICA protocol to deploy applications through a public network. She stresses the importance of carefully tuning published applications to preserve the terminal server's integrity and avoid error messages and unusable paths.

Making published applications available to the right people without poking holes in your network is also essential. To do this, you need to understand how to offer applications to thin-client NT users outside a network firewall, but you must also know how to preserve a high level of security. As a network engineer, I get nervous about opening any ports on a firewall. To maintain network security, you need to know how ICA works, how to deliver ICA sessions to the client through different types of firewalls, and how to configure your firewall and the ICA settings to minimize danger.

ICA, TCP/IP, and the ICA Browser
The Citrix ICA protocol is a proprietary networking protocol that runs over TCP/IP. Like FTP, ICA uses dynamic port allocation to let a client reach the server over the Internet. A client can start a session with ICA in two ways: Connect directly to the server and receive a full remote NT desktop or, if the administrator published the applications, browse the server for the application.

In a direct server connection, the initial synchronization between the client and the server occurs over TCP port 1494. However, the remainder of the session occurs over a dynamically allocated port. If you're browsing for a published application, initial synchronization occurs over UDP port 1604. The server returns the IP address of a server that contains a list of applications available through a dynamic port. Then, the client establishes a connection to the application through TCP port 1494, and the remainder of the communication uses a dynamic port.

These procedures can get tricky with firewalls in place to protect the network. Most firewalls don't understand ICA. Therefore, permitting the ICA protocol to pass through a firewall can be a configuration challenge. You can configure most—but not all—firewalls to pass the ICA protocol.

The Master Browser Without a Firewall
The server responsible for tracking available ICA functions (e.g., available Citrix servers, published applications, pooled licenses, performance and load information for Citrix servers) is called the master browser. The master browser functions similarly to the Microsoft Browser Service. Every Citrix server runs the ICA browser service and elects one Citrix server as the master browser. All other Citrix servers on the network are member browsers. Each physical network of Citrix servers has one master browser per protocol. A master browser election determines the master browser for each network. If the current master browser on a network goes down, a new master browser election occurs, thereby providing the ICA browser service high reliability. Each transport protocol (e.g., TCP/IP, IPX, NetBIOS) has a master browser.

To obtain the address of a server or published application, ICA clients must use the server's IP address or media access control (MAC) address to locate the master browser or directly connect to the server. The ICA client locates the master browser by sending out broadcast packets.

In a network without a firewall, to send a request for the ICA browser, the client broadcasts a packet to the network, with a destination address of UDP port 1604. The contacted server uses any port number greater than 1023 to return the master browser's IP address to the client. The TCP port-allocation algorithm indexes available ports between 1023 and 65534, and maintains a counter that shows the most recently allocated port. The counter incrementally changes after each allocation, and the server checks to ensure that no other connection is using this port. If another connection is using the port, the server checks the next available port. TCP/IP port allocation is a function of how many connections the server maintains. By default, the highest available user port is port 5000, but you can add the Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\ Citrix\MaxUserPort and set this value to a decimal number between 5000 and the TCP/IP maximum port number—port 65534.

If the communication is successful, the master browser returns a browse list to the client. To start an application, the client selects a server or published application from the browse list. Alternatively, the client can choose an ICA file, which is a preconfigured file that contains browser and application information that is specific to an application. The application connection initiates on TCP port 1494, and the server—using the same port-allocation method—responds with a high source TCP port number greater than 1023.

To create an ICA file, the user can use the Citrix ICA desktop editor, or the administrator can use the Published Application Manager tool. If you use the Published Application Manager to publish an application, you can right-click the application to access a wizard that helps you create an ICA file. Listing 1 shows an ICA file, where TcpBrowserAddress gives you the external IP address and Desktop is the name of the published application.

Firewall Configuration
Any open port is a door that an intruder might break down. A firewall attempts to protect those doors by regulating who can enter. When you add a firewall, you must configure the firewall to allow ICA browser packets on UDP port 1604 and TCP port 1494. To browse the Citrix network for servers and published applications, the client must be able to enter the server's network through port 1604 and back out through any port higher than 1023. However, you can connect directly to a server's full desktop by connecting to its TCP/IP address on port 1494—and you don't need to open port 1604.

ICA is a fairly new protocol, so using a firewall presents a unique challenge. You need to configure the firewall so that it allows a client session through the ICA ports. The configuration method you use must be specific to your firewall's architecture. The four major firewall architectures are: packet-filtering gateway, circuit-level gateway, stateful inspection, and proxy server.

Packet-filtering gateway. The packet-filtering gateway is the easiest architecture to configure, but it's the least secure. To configure an ICA packet-filtering gateway, simply insert a rule that lets a client send an inbound signal over TCP port 1494 and UDP port 1604 to the server and that passes a response from port number 1023 or greater. The method you use to set this rule depends on the firewall.

Circuit-level gateway. The circuit-level gateway adds more security because it operates at the session level and creates logical connections that NT maintains for only a certain period. When a client session creates the circuit, the firewall verifies that the session needs to create the session connection, then lets the client send all subsequent data without verification. You configure circuit-level gateways similarly to the way you configure packet-filtering gateways.

Stateful inspection. Stateful inspection expands packet filtering by adding state information to packet inspection, based on past communications and other applications. You can configure stateful-inspection firewalls—like packet-filtering gateways—so that new protocols can pass through the firewall over specific ports. In addition, by performing packet inspection as the packets move through the firewall, stateful inspection provides better security. Configuring the ICA protocol requires you to define the ICA protocol as a network service.

Proxy server. Typically, you use proxies to monitor outbound traffic. Some application proxies also cache requested data and log connection information, thereby reducing bandwidth requirements, decreasing access time to similar connection points, and providing evidence of transferred data. The two types of proxy servers are application proxies and SOCKS proxies.

Application proxies are extremely secure. You must have a special proxy rule for each application and protocol. Application proxies perform application-level analysis by examining each packet as it passes through the gateway. A person using FTP to connect to another computer illustrates the application-proxy process. The person uses FTP to connect to the proxy server and connects to the outside world through the proxy server. An application proxy server automates this process.

Proxy servers handle all communications, so they can log everything clients do. For example, an HTTP proxy can show you every URL that you've visited, and an FTP proxy can show you every file you download. These proxies can filter out inappropriate words, sites, and files from the sites you visit and scan for viruses. Application proxies can even authenticate users before permitting an outside connection. To a Web user, every site appears to require a logon. The administrator has complete control over how users use the outside connection. To pass a new protocol such as ICA through a proxy server, you must develop a workaround to get through the firewall.

A SOCKS proxy server is similar to a telephone switchboard. The server is the software equivalent of crossing wires to complete a connection through the system to another outside connection (i.e., to get past the firewall). Most SOCKS servers work with only TCP-type connections.

You can use the SOCKS service to let a new protocol pass through a proxy server. Many third-party solutions are available for permitting access to a Citrix ICA session through a proxy server (e.g., Aventail Connect 3.01, Hummingbird SOCKS, NEC SocksCap32). Educational Technology recently developed Surrogate Socket, a Microsoft Proxy Server plugin that lets the proxy server support ICA and RDP connections without enabling IP forwarding. Sun-Netscape Alliance's remote-access software lets a network authenticate users and grant defined access (i.e., based on predefined rules) to enterprise applications and data. Authorized users can access predefined applications through a Java-enabled Web browser.

On August 23, 1999, Citrix announced that it's strengthening the ICA protocol's security with support for SOCKS 5.0 and 4.0. If you install the latest MetaFrame release candidate for Windows 2000 (Win2K), when you set up a client session on the new client, the wizard will ask whether you'd like to use SOCKS to connect through a firewall.

Editing the ICA File for NAT
You can use Network Address Translation (NAT) to minimize the security risk of opening a port on a firewall. NAT readdresses traffic so that outgoing traffic appears to originate from the firewall rather than the internal host. Unlike proxy gateways, NAT gateways operate within the routing layer and are faster than their proxy counterparts. The network can use external routable Internet addresses for the router and internal unroutable intranet addresses for inside the firewall. You can then use NAT to translate the external address to an internal address according to a port number. For example, as Figure 1, page 132, shows, an Internet client that attempts to use NAT to connect to a Web server behind the router connects to Then, the system redirects the client to This procedure prevents the outside world from seeing your network directly. (For more about NAT, see Zubair Ahmad, "Windows 2000's Network Address Translation, page 141.)

When an administrator uses the Published Application Manager to create an ICA file, the ICA file will have the private address set as the browser address for a firewall that uses NAT. In Figure 1, for example, the browser address is This procedure works fine for internal connections, but for external connections, you must edit the ICA file so that the file points to the master browser's external IP address. In Listing 1, for example, the edited TcpBrowserAddress reflects the external port.

To use NAT to add a layer of security, the client must also request the master browser's external IP address. By adding the UseAlternateAddress setting (with a value of 1) to the ICA file's WFClient section (as Listing 1 shows), the master browser returns the correct browser address to the client. Without this setting, the client will successfully contact the server, but the server won't send back the correct address.

To register an alternative IP address to your internal servers through the master browser, you use the Altaddr command on the Citrix server. For example, to assign the alternative IP address of to a server, log on to the Citrix server, go to a command prompt, and type

altaddr /set

Then, edit the ICA file to point to the external address and use the alternative IP address. Listing 1 shows the edited ICA file. In this method, you need to assign each intranet IP address for a Citrix server a valid external Internet IP address.

Some routers don't let you use multiple external addresses for the same port, or you might not have or want multiple external addresses. Assigning transparent static ports eliminates the need to have one external address for each internal address. Rather than assign your internal servers unique addresses, you assign them a port number with the same external IP address. You need to assign one server to port 1604 so that it becomes the agent for locating the master browser. You can assign the other servers to any available port, as Figure 2 shows.

To assign alternative port numbers, first log on to the Citrix server that you want to designate as the browser. Go to a command prompt, and use the ICAport and Altaddr commands. For example, as Figure 2 shows, the Citrix server at finds the master browser. Type

icaport /port:1604
altaddr /set

Then, log on to another Citrix server, and type, for example,

icaport /port:421
altaddr /set

This method lets you load-balance an application through a firewall without exposing your entire network. You expose only one external address. All ICA connections will use this address to connect to the server farm. To assign the server, the master browser will use the load-balancing parameters you set in the Load Balancing Administrator under the Start menu, MetaFrame Tools. And the client will receive the correct alternative address and port.

Don't Help Intruders
Any access to an external client is an unwanted guest's potential entrance. You need to fully understand how thin-client/server products communicate with the world. If you're introducing your product into a public environment, you must limit your network exposure. History shows that a motivated intruder can break into any system—don't help the intruder by making the break-in easy. By understanding how the ICA protocol works with TCP/IP and setting up the strongest firewall possible, you can limit your network's vulnerability and continue to benefit from the advantages that Citrix adds to the Internet in a thin-client world.