Jamie,

It sounds like you'll need just a standard nat translation and pass the port to your server. The client will determine what's needed to pass to the server. You can do this in the ASA:

static (dmz, outside) 1.1.1.50 192.168.1.50 netmask 255.255.255.255

access-list OUTSIDE permit tcp any host 1.1.1.50 eq 443

You'll pass your Citrix traffic to 1.1.1.50 and your other services can still run on 443.

HTH,

John

Please rate useful posts...

Thanks for your response John,

I think I see what you're saying, which makes sense if there was just the Citrix gateway on 443.

Thing is, it's 2 internal hosts - seperate servers - seperate internal IP's.  On the outside (where the requests would be made from), one public static IP - both services using seperate subdomains but DNS record pointing to the single static - clients can request either https://fs.mydomain.com or https://citrix.mydomain.com and they should both get forwarded to the appropriate internal service...

What you suggest seems to be specific to forwarding to one host - but what about when another host is added that wants to use the same port?

My thought were (and whether possible):

- Route the traffic to the appropriate destination based on headers (since each would be using its own subdomain)

            - Problem I see with this, is I don't know if it's possible/how on the ASA

            - It's my understanding that the headers would be encrypted if they're secure (https 443) and thus unreadable by the ASA

Thank you for your quick responses... Kinda what I was expecting, so additional IP is probably the simplest route.