Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Opening Citrix Ports between Two Firewalls over the Internet

If I open the ports for Citrix traffic to flow between two firewalls over the Internet, do I need to be concerned about being scanned for open ports? Another engineer is telling me that it still can't be scanned due to the nature of the PIX but I can't find any reference to this anti-scanning feature.

5 REPLIES
Silver

Re: Opening Citrix Ports between Two Firewalls over the Internet

About Citirix:

Citrix's Internet technology allows users to run WinFrame sessions over the Internet. This poses a challenge for maintaining Internet security because Citrix's Intelligent Console Architecture (ICA) protocol is a relatively new networking protocol that runs over TCP/IP using registered port 1494.Firewalls do not understand ICA because it is not a "well known" networking protocol.

Therefore, allowing the ICA protocol to pass through the firewall becomes a configuration challenge. Some types of firewalls can be configured to pass ICA, while others cannot. ICA uses dynamic port allocation much like the FTP protocol.

The initial synchronization between the WINFRAME client and the WINFRAME server occurs over port 1494, but the actual WINFRAME session occurs over a dynamically allocated port. For this reason, it might be necessary to allow connections over a range of TCP/IP ports through the given firewall. If required, these connections should only be allowed between the client and the server.

Try this link:

http://www.cisco.com/en/US/products/products_security_advisory09186a008009fafa.shtml

Gold

Re: Opening Citrix Ports between Two Firewalls over the Internet

That's a pretty basic feature of a firewall.

If your rules only allow specific src/dst ip addresses and port(s), then a scan from another IP address won't produce useful results.

New Member

Re: Opening Citrix Ports between Two Firewalls over the Internet

You spoof the source and that's a pretty basic feature of a hacker. I guess my point is that it would be safer to use VPN tunnels unless there is some sort of issue with performance for Citrix servers and clients over network based VPNs. Thoughts?

Re: Opening Citrix Ports between Two Firewalls over the Internet

Hi,

I agree to your point . Either you can go with mpls based vpn , where your traffic is secure without doing ipsec or you need to go as you have mentioned , End to end ipsec between ur firewall

regards

vanesh k

Gold

Re: Opening Citrix Ports between Two Firewalls over the Internet

Using a VPN tunnel requires opening up protocols and ports from a source IP to a destination IP. It's not a whole lot different from a scanning perspective.

Even if the hacker new the correct source IP address to spoof (unlikely), spoofing the source doesn't do much for an attacker because they won't see the reply packet. Unless it's a really old implementation of Citrix, it's probably already using 128 bit encryption. Adding a VPN tunnel does not add a lot of value and will certainly add overhead.

352
Views
2
Helpful
5
Replies
CreatePlease to create content