Hello, If you access the

swoods227 · ‎11-10-2014

We have a customer with a Cisco ASA5505 Firewall and they recently gone to a Citrix cloud environment. We are having a problem allowing the Citrix traffic through the ASA. Anyone with any ideas or "steps to take" would be greatly appreciated.

Rahul Chhabra · ‎11-11-2014

Hi,

When a user wants to connect to a Citrix session using Citrix ICA client (citrix receiver) the ICA client uses port number 1494 and port number 2598 for session reliability.
Port number 1494 is default for ICA connection, allotted by IANA to Citrix.

Session reliability contains a secure connection over SSL and it also has the ability to maintain the sessions during fail-over.

So, you need to permit these ports on user ASA to allow Citirx via ASA.
like:
access-list (name) permit tcp any any eq 1494
access-list (name) permit tcp any any eq 2598

Regards,
Rahul Chhabra
Network Engineer
Spooster IT Services

David Johan Castro Fernandez · ‎11-11-2014

Hello,

If you access the Citrix Cloud Enviroment from the inside hosts to the outside, you will need to permit that communication on the ASA on the Outside Access group, to the server, and Citrix uses specific TCP ports for this.

Either ways I will give you 3 documents that have the Port numbers and another one for how to apply this access group to permit this communication, also remember the access group applied on the inside interface.

Configuring TCP ports for Citrix communication:

- http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-securing-cfg-tcp-ports.html

- http://support.citrix.com/servlet/KbServlet/download/2389-102-704421/CTX101810_28th_June_2013.pdf

Permitting or Deniying Network Access:

- http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_nw.html

If you have any questions let me know,

Please don't forget to rate and to mark as correct the helpful post!

David Castro,

Regards,

Citrix Access via ASA5505