Minimize the dangers
Many organizations are turning to Windows NT Server 4.0, Terminal Server Edition (WTS) and Citrix MetaFrame to deploy Windows-based applications to their user base. This server-based computing solution lets organizations offer full-featured applications to almost any client—and use very little bandwidth in the process. In fact, some companies prefer to let remote employees and customers access mission-critical applications over an existing Internet connection. Citrix ICA makes this capability possible. ICA is an industry standard for delivering corporate applications across a broad variety of desktop platforms and networks. ICA lets the server separate application logic from the user interface (UI) and send only the application's UI to the client. The application runs completely on the server. Applications you deploy with ICA consume as little as one-tenth of the network bandwidth they typically require—about 10KB to 20KB per user session.
In her Web-exclusive article "Deployment: Getting Applications to the Masses" (http://www.win2000mag.com/ articles/content/7131_01.html), Christa Anderson talks about using MetaFrame and the ICA protocol to deploy applications through a public network. She stresses the importance of carefully tuning published applications to preserve the terminal server's integrity and avoid error messages and unusable paths.
Making published applications available to the right people without poking holes in your network is also essential. To do this, you need to understand how to offer applications to thin-client NT users outside a network firewall, but you must also know how to preserve a high level of security. As a network engineer, I get nervous about opening any ports on a firewall. To maintain network security, you need to know how ICA works, how to deliver ICA sessions to the client through different types of firewalls, and how to configure your firewall and the ICA settings to minimize danger.
ICA, TCP/IP, and the ICA Browser
The Citrix ICA protocol is a proprietary networking protocol that runs over TCP/IP. Like FTP, ICA uses dynamic port allocation to let a client reach the server over the Internet. A client can start a session with ICA in two ways: Connect directly to the server and receive a full remote NT desktop or, if the administrator published the applications, browse the server for the application.
In a direct server connection, the initial synchronization between the client and the server occurs over TCP port 1494. However, the remainder of the session occurs over a dynamically allocated port. If you're browsing for a published application, initial synchronization occurs over UDP port 1604. The server returns the IP address of a server that contains a list of applications available through a dynamic port. Then, the client establishes a connection to the application through TCP port 1494, and the remainder of the communication uses a dynamic port.
These procedures can get tricky with firewalls in place to protect the network. Most firewalls don't understand ICA. Therefore, permitting the ICA protocol to pass through a firewall can be a configuration challenge. You can configure most—but not all—firewalls to pass the ICA protocol.
The Master Browser Without a Firewall
The server responsible for tracking available ICA functions (e.g., available Citrix servers, published applications, pooled licenses, performance and load information for Citrix servers) is called the master browser. The master browser functions similarly to the Microsoft Browser Service. Every Citrix server runs the ICA browser service and elects one Citrix server as the master browser. All other Citrix servers on the network are member browsers. Each physical network of Citrix servers has one master browser per protocol. A master browser election determines the master browser for each network. If the current master browser on a network goes down, a new master browser election occurs, thereby providing the ICA browser service high reliability. Each transport protocol (e.g., TCP/IP, IPX, NetBIOS) has a master browser.
To obtain the address of a server or published application, ICA clients must use the server's IP address or media access control (MAC) address to locate the master browser or directly connect to the server. The ICA client locates the master browser by sending out broadcast packets.
In a network without a firewall, to send a request for the ICA browser, the client broadcasts a packet to the network, with a destination address of UDP port 1604. The contacted server uses any port number greater than 1023 to return the master browser's IP address to the client. The TCP port-allocation algorithm indexes available ports between 1023 and 65534, and maintains a counter that shows the most recently allocated port. The counter incrementally changes after each allocation, and the server checks to ensure that no other connection is using this port. If another connection is using the port, the server checks the next available port. TCP/IP port allocation is a function of how many connections the server maintains. By default, the highest available user port is port 5000, but you can add the Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\ Citrix\MaxUserPort and set this value to a decimal number between 5000 and the TCP/IP maximum port number—port 65534.
If the communication is successful, the master browser returns a browse list to the client. To start an application, the client selects a server or published application from the browse list. Alternatively, the client can choose an ICA file, which is a preconfigured file that contains browser and application information that is specific to an application. The application connection initiates on TCP port 1494, and the server—using the same port-allocation method—responds with a high source TCP port number greater than 1023.
To create an ICA file, the user can use the Citrix ICA desktop editor, or the administrator can use the Published Application Manager tool. If you use the Published Application Manager to publish an application, you can right-click the application to access a wizard that helps you create an ICA file. Listing 1 shows an ICA file, where TcpBrowserAddress gives you the external IP address and Desktop is the name of the published application.
Firewall Configuration
Any open port is a door that an intruder might break down. A firewall attempts to protect those doors by regulating who can enter. When you add a firewall, you must configure the firewall to allow ICA browser packets on UDP port 1604 and TCP port 1494. To browse the Citrix network for servers and published applications, the client must be able to enter the server's network through port 1604 and back out through any port higher than 1023. However, you can connect directly to a server's full desktop by connecting to its TCP/IP address on port 1494—and you don't need to open port 1604.
ICA is a fairly new protocol, so using a firewall presents a unique challenge. You need to configure the firewall so that it allows a client session through the ICA ports. The configuration method you use must be specific to your firewall's architecture. The four major firewall architectures are: packet-filtering gateway, circuit-level gateway, stateful inspection, and proxy server.
Packet-filtering gateway. The packet-filtering gateway is the easiest architecture to configure, but it's the least secure. To configure an ICA packet-filtering gateway, simply insert a rule that lets a client send an inbound signal over TCP port 1494 and UDP port 1604 to the server and that passes a response from port number 1023 or greater. The method you use to set this rule depends on the firewall.
Circuit-level gateway. The circuit-level gateway adds more security because it operates at the session level and creates logical connections that NT maintains for only a certain period. When a client session creates the circuit, the firewall verifies that the session needs to create the session connection, then lets the client send all subsequent data without verification. You configure circuit-level gateways similarly to the way you configure packet-filtering gateways.
Stateful inspection. Stateful inspection expands packet filtering by adding state information to packet inspection, based on past communications and other applications. You can configure stateful-inspection firewalls—like packet-filtering gateways—so that new protocols can pass through the firewall over specific ports. In addition, by performing packet inspection as the packets move through the firewall, stateful inspection provides better security. Configuring the ICA protocol requires you to define the ICA protocol as a network service.
Proxy server. Typically, you use proxies to monitor outbound traffic. Some application proxies also cache requested data and log connection information, thereby reducing bandwidth requirements, decreasing access time to similar connection points, and providing evidence of transferred data. The two types of proxy servers are application proxies and SOCKS proxies.