I hope that this Microsoft article helps. How to Publish a Citrix Server Behind ISA Server [Q300177] PSS ID Number: Q300177 Article last modified on 08-02-2001 :2000 ====================================================================== ------------------------------------------------------------------------ ------- The information in this article applies to: - Microsoft Internet Security and Acceleration Server 2000 ------------------------------------------------------------------------ ------- SUMMARY ======= This article describes how to publish a Citrix Metaframe version 1.8 server by using Internet Security and Acceleration (ISA) Server so that external ICA clients can connect and run ICA sessions. MORE INFORMATION ================ The following steps describe how to configure the ISA Server and the Citrix server. The configuration on the ISA Server requires the creation of a packet filter, a protocol definition, and a server publishing rule. The Citrix server is configured by running a command-line utility. How to Configure ISA Server --------------------------- Create an IP Packet Filter That Is Named "Inbound ICA TCP 1494": 1. Start the ISA Management console, open the Access Policy container, right-click IP Packet Filters, point to New, and then click Filter. 2. Name the rule that you are creating (for example, "Inbound ICA TCP 1494"), and then click Next. 3. Click Custom, and then click Next. 4. Click TCP in the IP protocol box, click Both in the Direction box, click Fixed port in the Local port box, type "1494" (without the quotation marks) in the Port number box, leave the All ports setting at Remote port, and then click Next. 5. Click Default IP addresses, or type a specific external IP address. If you have just one IP address that is bound to the external interface of the ISA server, or if you are only publishing one Citrix server, leave this selection at Default IP address, and then click Next. 6. Leave the selection at All remote computers, click Next, and then click Finish. Create a New Protocol Definition That Is Named "Citrix ICA TCP": 1. Start the ISA Management console, open the Policy Elements container, right-click Protocol Definitions, point to New, and then click Definition. Note that if an Enterprise policy is applied to your array, you must create the protocol definition at the Enterprise level. 2. Name the protocol definition "Citrix ICA TCP" (without the quotation marks), and then click Next. 3. Type 1494 in the Port number box. Leave the "Protocol type" setting as TCP. Change the "Direction" setting to Inbound, and then click Next. 4. Leave the "Do you want to use a secondary connection." setting at No, click Next, and then click Finish. Server Publish the Citrix Metaframe Server: 1. Start the ISA Management console, open the publishing container, right-click Server Publishing rules, point to New, and then click Rule. 2. Name the rule that you are creating (for example, "Citrix Server"), and then click Next. 3. Type the address of your internal Citrix Server under Internal server, type the appropriate address for the external interface on the ISA server under ISA Server, and then click Next. 4. Click Citrix ICA TCP, and then click Next. 5. Select the appropriate client set. Note that if the server is used by computers that are on the Internet, Any request is the best choice. 6. Click Next, and then click Finish. 7. Restart the Firewall service. How to Configure the Citrix Metaframe Server -------------------------------------------- The Citrix server needs to be a SecureNAT client. That means that you do not install the firewall client on the Citrix server; instead, configure the default gateway to point to the internal interface of the ISA server and configure a DNS address on the Citrix server that can resolve Internet names. In addition, on the Citrix server you must set an alternate address for the ICA sessions. First you must determine the correct ISA external address, and then type the "altaddr /set w.x.y.z" (without the quotation marks) command from a command prompt on the Citrix server, where w.x.y.z is the external IP address of your ISA server. The Citrix server must be restarted after you run this command. If you only have one IP address that is bound to the external interface of the server, use that address. If you have multiple IP addresses that are bound to the external interface of the ISA server, type the one you used when you created the server publishing rule earlier. When clients on the Internet want to connect to your Citrix server by using an ICA client, they must connect to the external IP address on the ISA server that is used in the server publishing rule. This is also the same IP address that you specified when you ran the "altaddr" (without the quotation marks) command. Additional query words: ====================================================================== Keywords : kbnetwork kbtool Technology : kbAudDeveloper kbISAS2000 kbISAServSearch Version : :2000 Issue type : kbhowto ======================================================================== ===== Copyright Microsoft Corporation 2001. -----Original Message----- From: Jason Beckett [mailto:jbeckett@xxxxxxxxxxxxxxxxxx] Sent: Thursday, December 13, 2001 4:56 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Access to Citrix Server Importance: High http://www.ISAserver.org Ok I went and made these changes, Now when I double click on the ica client it says "Cannot connect to the Citrix server: The Citrix Server you have selected is not accepting connections." So now how does the ISA server know which server to pass the request to. ISA Server is on it own server and the citrix server is on an internal server. How to I pass all requests for citrix to my internal server? Thanks Jason -----Original Message----- From: Ziyad Essa [mailto:ziyad.essa@xxxxxxxxxxxxxx] Sent: Thursday, December 13, 2001 2:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Access to Citrix Server http://www.ISAserver.org A pre defined protocol called ICA "Citrix Intelligent Console Architecture protocol" on TCP port 1494. Go to access policy then Protocol rules. select the protocol rule that you have defined for your site, select the protocol tab, under this rule applies to, select selected protocols, from the protocols list, check the box next ICA Hope that helps Ziyad -----Original Message----- From: Jason Beckett [mailto:jbeckett@xxxxxxxxxxxxxxxxxx] Sent: Thursday, December 13, 2001 3:53 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Access to Citrix Server http://www.ISAserver.org I am really new to ISA server, So I have made a protocol rule for tcp on port 1494. What do you mean by check it in my protocol rules.??? Thanks for you help -----Original Message----- From: Ziyad Essa [mailto:ziyad.essa@xxxxxxxxxxxxxx] Sent: Thursday, December 13, 2001 2:25 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Access to Citrix Server http://www.ISAserver.org you already have a protocol rule created for port 1494 Citrix Intelligent Console Architecture protocol, all you need is to check it in your Protocol Rules -----Original Message----- From: Jason Beckett [mailto:jbeckett@xxxxxxxxxxxxxxxxxx] Sent: Thursday, December 13, 2001 3:20 PM To: [ISAserver.org Discussion List] Subject: [isalist] Access to Citrix Server Importance: High http://www.ISAserver.org I need to gain access to my citrix server through my isa server. What ports do I open and how do I do this? Thank you for any help Jason Network Administrator (604)687 2990 ext 1024 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ziyad.essa@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jbeckett@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ziyad.essa@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jbeckett@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ziyad.essa@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')