If you are referring to ICA protocol, developed by Citrix (used, for
example, for demo on their web site) then you don't need to disable the
firewall to let this kind of traffic to go through, but create some
rules related to this. I am using Eagle from Raptor and for ICA I
created a protocol, defined on TCP port 1494 and then a GSP service and
it works just fine. I only let the traffic from inside to Internet,
though.
If you want to use a Winframe TCP/IP Client over the Internet (which, by
the way, I wouldn't do it), then you probably need a secure tunnel
between the client and the Winframe server, but again, you don't have to
disable the firewall functionality for any other protocol...
Adrian
> -----Original Message-----
> From: Eric Schrauth [SMTP:smmj @
MO .
NET]
> Sent: Thursday, August 07, 1997 5:39 AM
> To: firewalls @
greatcircle .
com
> Subject: Raptor/PIX/FW-1 & Citrix
>
> I had been reading with interest the messages regarding the Citrix
> Winframe product, but they
> have kinda dried up. I have a question relating to the Raptor, PIX
> and FW-1 products and
> Citrix. According to my vendor(s), to use any of the software
> firewalls (Raptor & FW-1) with
> Citrix, you have to disable the ability of the firewall to examine the
> packet in depth, and just
> let the packet pass through the firewall based upon what port it is
> coming from. I am unsure of
> the way that the PIX handles it, but assume is similar. One of the
> advantages (I thought) to
> using the software firewall was that I did this extensive level of
> verification. My question is
> if you disable this feature, why do you need to have the software
> firewall instead of some other
> solution. It is not the cheapest way to do things. Have I given
> enough information to the
> group to talk about this intelligently?
<<application/ms-tnef>>
|
|
