Having a lot of trouble with the Citrix ICA client not being about to go through the ISA server.  Have tried everything I can find on the net, but most of that is broken code.

 

1494 is the port number that I can telnet to on the Citrix server and as far as I can tell, the only real one it needs open to work unless I missed something.  I can access that server fine from a computer without ISA client firewall installed and not on the same network as the ISA.  With ISA, it will not connect.  I have opened up the port 1494 outbound using CEICW.  I have used the ISA Server tool to add ports to the config for 1494, 2598 and 9001, but still nothing.  Has anyone set this up.  Our accountants need it to work really bad and I don't want to have to go through another ISA unistall to give them the access. 

 

I have no problem accessing the internet, except we can't ping to outside addresses (which might be part of the problem), using Outlook over HTTP, RWW, etc...

 

Please help. 

I have Citrix clients working through ISA firewall.  No special ports needed to be opened, but I do get prompted for authentication to get through the proxy, and the behavior is erratic.  No matter which machine, the authentication is rejected, but hitting cancel allows a connection.  On one machine however, similar behavior, but no connection.

Ok, we finally got it all working without any workarounds or hitches.  Basically, we went into ISA and created new custom access rules for 2598 tcp in and out, 1494 tcp in and out and 1604 udp sendreceive.  The from / to stuff was "internal" and "localhost" and "external depending on what direction was needed.  Don't really know if some of this could be left out, like localhost, but we quit messing around once it started working.  This is an ICA/Firewall client connecting through our SBS/ISA box to a remote Metaframe Server via IP address. 

Hi. I am having the exact same problem you're having. I created the custom protocol and 'Citrix 1494 Out' access rule as you described, and am still being denied. Is it possible there is another step? I can provide logging if that helps.

Hi Alan,

 

Were you able to figure this out yet?

Thanks to Eriq Neale's assistance, we were able to determine that the only method that would allow this particular connection to work was to enable all outbound traffic. Since making this change, the application works flawlessly. Obviously we would have preferred to keep better control of the outbound traffic, but the issue was compounded by the fact that there was no way to modify the Citrix-side of the program, as it is supplied by a third party.

 

I would like to note that Eriq was terrific in troubleshooting this issue, and I look forward to working with him again some time. - Alan