Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
2
Helpful
5
Replies

Opening Citrix Ports between Two Firewalls over the Internet

patrick.hurley
Level 3
Level 3

‎11-06-2006 02:37 PM - edited ‎03-09-2019 04:47 PM

If I open the ports for Citrix traffic to flow between two firewalls over the Internet, do I need to be concerned about being scanned for open ports? Another engineer is telling me that it still can't be scanned due to the nature of the PIX but I can't find any reference to this anti-scanning feature.

Labels:
0 Helpful
5 Replies 5

mchin345
Level 6
Level 6

‎11-10-2006 11:33 AM

About Citirix:

Citrix's Internet technology allows users to run WinFrame sessions over the Internet. This poses a challenge for maintaining Internet security because Citrix's Intelligent Console Architecture (ICA) protocol is a relatively new networking protocol that runs over TCP/IP using registered port 1494.Firewalls do not understand ICA because it is not a "well known" networking protocol.

Therefore, allowing the ICA protocol to pass through the firewall becomes a configuration challenge. Some types of firewalls can be configured to pass ICA, while others cannot. ICA uses dynamic port allocation much like the FTP protocol.

The initial synchronization between the WINFRAME client and the WINFRAME server occurs over port 1494, but the actual WINFRAME session occurs over a dynamically allocated port. For this reason, it might be necessary to allow connections over a range of TCP/IP ports through the given firewall. If required, these connections should only be allowed between the client and the server.

Try this link:

http://www.cisco.com/en/US/products/products_security_advisory09186a008009fafa.shtml

0 Helpful

mhellman
Level 7
Level 7

‎11-10-2006 03:43 PM

That's a pretty basic feature of a firewall.

If your rules only allow specific src/dst ip addresses and port(s), then a scan from another IP address won't produce useful results.

patrick.hurley
Level 3
Level 3
In response to mhellman

‎11-10-2006 08:05 PM

You spoof the source and that's a pretty basic feature of a hacker. I guess my point is that it would be safer to use VPN tunnels unless there is some sort of issue with performance for Citrix servers and clients over network based VPNs. Thoughts?

0 Helpful

network.king
Level 4
Level 4
In response to patrick.hurley

‎11-10-2006 11:04 PM

Hi,

I agree to your point . Either you can go with mpls based vpn , where your traffic is secure without doing ipsec or you need to go as you have mentioned , End to end ipsec between ur firewall

regards

vanesh k

0 Helpful

mhellman
Level 7
Level 7
In response to patrick.hurley

‎11-11-2006 03:56 PM

Using a VPN tunnel requires opening up protocols and ports from a source IP to a destination IP. It's not a whole lot different from a scanning perspective.

Even if the hacker new the correct source IP address to spoof (unlikely), spoofing the source doesn't do much for an attacker because they won't see the reply packet. Unless it's a really old implementation of Citrix, it's probably already using 128 bit encryption. Adding a VPN tunnel does not add a lot of value and will certainly add overhead.

Customers Also Viewed These Support Documents