Re: Allow Citrix only

mo shea · ‎12-23-2004

HI...

We have setup a temporary isdn 128k connection to allow 50 users to connect to ERP (based on SQL) servers at the main site over citrix. We use a 1700 series router.

The requirement is to allow these people to use only that application and nothing else. We will install citrix client on each user PC. I have found the following citirix ports

ICA (Default) TCP: 1494

IMA TCP: 2512

CMC TCP: 2513

SSL TCP: 443

STA (IIS) TCP: 80

TCP Browsing UDP: 1604

XML (Default) TCP: 80

I plan to add windows terminal services ports and DNS as well. I plan to test tomorrow.

The thing that's worrying me is that 2 of the citrix ports use 80 which is the same as the upstream internet proxy that is used at the main site. I am affraid people can still access internet if these ports are allowed.

Any help is appreciated

Thanx

paddyxdoyle · ‎12-23-2004

Hi,

You can prevent this by either having a deny rule at the top of your ACL to specifically deny http to your proxy

e.g.

access-list 101 deny tcp any eq http

access-list 101 permit tcp any eq http

etc...

Or you can have specific destination addresses in your ACL only permitting your clients to talk to specific servers. All other traffic (http to your proxy included) will be denied as its not specifically permitted in your ACL..

HTH

Paddy

mo shea · ‎12-24-2004

thanx for the reply

I was thinking of using a static route on the router that points only to the application servers. Any suggestions?

daschulz · ‎12-25-2004

Static routes would be a good thing for your security and eliminate routing updates on the link. However, you probably don't want to do this if you have a continually changing topology/services (IOW, the remote access is not changing). For added security, you may also want to combine this with the aforementioned access lists. Don't forget to enable RFC 1918 and 2827 filtering.