Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Firewall Policy - Citrix Client use

Hi! This is my 1st post as I am finally starting to set up my FG100A & FA100B (after 3 months of looking at them on my desk and being afraid... lol). I am sure I will have a few questions in the near future but please be patient with me as I am totally new to this stuff. I am in the process of setting all of the firewall policies and I was looking into what I need to do for allowing the Citrix ICA Client application to work. The server I am connecting to is external (WAN). I understand that I need to allow INTERNAL --> WAN - tcp port 1494 (or use the default winframe setting as described here: http://kc.forticare.com/default.asp?SID=&Lang=1&id=1568 What I don' t understand is where everwhere else I look for information (internet) I find that the consensus is that you also need to allow WAN --> INTERNAL - udp port range 1023 to 65535. Is this correct? Also, do I need to do this same thing INTERNAL --> WAN??? This seems crazy that I am going through all of this work to create firewall policies only to allow the essential stuff, then I am going to go and set the thing wide open on the top end so that I can connect to a Citrix server? Any help or suggestions in regards to this would be greatly appreciated. Maybe I am making the setup into more of a monster than it should be. I think that I am confusing myself actually. Thanks! Marc Jones
4 REPLIES 4
rwpatterson
Valued Contributor III

Welcome to the forums No pro on Citrix, but try it first with just the outgoing policy. If that fails, you may need to create a Virtual IP (VIP) mapping, and place that in a policy with those other ports you mentioned. Good luck

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Jshaw
New Contributor

If the servers you are connection to are on the WAN (somewhere else on the i-net) the default rule for ICA/WINFRAME will work just fine. I host a few CTX farms and only allow HTTPS,HTTP and ICA to my servers without issues.
Not applicable

Thanks for the help! I will try just the standard service outgoing once I implement the Fortigate.
UkWizard
New Contributor

I agree with JShaw, allowing 1494 will work fine, however, depending on what citrix version you are on, and how its been configured you may also need to open up tcp port 2598 outbound as well. this is citrix' s session reliability function. I install citrix and fortinets quite often, and have only come across this once though, so you probably won' t, but if it doesn' t work, give it a shot. (or turn session reliability off on the servers)
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors