Goodbye 1494, Hello 2598! Citrix Enhances ICA and Changes its Default Port - Brian Madden - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Brian Madden's Blog

Past Articles

Goodbye 1494, Hello 2598! Citrix Enhances ICA and Changes its Default Port

Written on Oct 20 2004
Filed under: ,
89,603 views, 22 comments


by Brian Madden

One of the “small” new features of Citrix MetaFrame Presentation Server 3.0 was something Citrix calls “session reliability.” All most people know about this is that:

  • When enabled, it allows a session to automatically reconnect when network connectivity is lost
  • It requires a new TCP port: 2598.
  • It doesn’t work via Citrix Secure Gateway (this is fixed in MPS 4)
  • It requires ICA clients version 8.

I think there is a common misconception about port 2598 usage. Most people think that 2598 is an “add on” port that Citrix created to handle heartbeat type of communication between the server and the client and that this traffic is in addition to standard port 1494 ICA traffic. However, this is not true.

In environments where Session Reliability is enabled, TCP port 2598 replaces port 1494 as the port that the ICA protocol uses.

Why is this? In order to facilitate the additional header information that is needed in a Session Reliability environment, Citrix built a “wrapper” for ICA. Since a MetaFrame server has to peel off this new layer before accessing raw ICA information, Citrix decided to start using a new port.

At this point Citrix Secure Gateway only supports “traditional” ICA traffic, which means you cannot use Session Reliability when connecting through a gateway. (I know, I know... you only really need session reliability when you’re outside the firewall, which means you’d be using CSG. Don’t get me started...) Fortunately, the next version of CSG will support Session Reliability encapsulated ICA sessions in addition to traditional ICA data.

Any clients before version 8 will not use session reliability, and will therefore still connect on port 1494. Therefore you might have some 1494 and some 2598 sessions in mixed client environments. Of course external data will always be SSL encrypted traffic on port 443. But on the inside of the network, you’re going to see a lot less 1494 and a lot more 2598 over the next few years.

 
 




Our Books


Comments

Guest wrote yay free book
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by an anonymous visitor on October 22, 2004
Love your website and your articles. A free XP to MPS3 update would be a bonus since I bought your XP book :)
Guest wrote New Book???
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by jsekel on October 21, 2004
So when is there a new book coming Brian??? Seems you are going to have to put in some overtime to keep up with Citrix now.
Guest wrote Oh Yeah! :)
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by Brian Madden on October 21, 2004
I had an MPS3 book scheduled for April, and for obvious reasons that's not a good timeframe so I'm cancelling that book. Instead you can expect an MPS4 book in the September timeframe. I will be posting many more tech articles over the next few months as I learn things, though.
Guest wrote I can Disagree on WHERE you need session reliability
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by Ron Oglesby on October 21, 2004
OK, From my point of view you need this internally also. Imagine being in a hospital walking between wings/access point, etc etc. This helps big time. I have a client that is migrating their entire environment just to get the session reliabily features for their wireless network.
Ron
Guest wrote I agree with Ron
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by an anonymous visitor on October 21, 2004
I think Ron hit one of the biggest advantages of session reliabiiy. A company with users roaming over a wireless network is a great use case for session reliability. The one example I use all of the time is a worker leaving their desk to go to a meeting and having to get on the elevator. I think that this was even mentioned during the keynote at iForum when the unplugged the network connection from the machine on stage.
Guest wrote CCA test question
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by CCI Steve on October 21, 2004
Has Citrix education been notified? The port question has been around so long they will have to have a number retirement ceremony.
Guest wrote enabled by default
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by xs4citrix on October 21, 2004
In both WI 3.0 as the 8 client, the session reliability is enabled by default, causing quite some trouble with upgrade happy admins, who get confronted with this new functionality, while their firewall and FR3 farm is not ready for it yet.
Guest wrote Don't Cancel The MPS30 Book
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by an anonymous visitor on October 21, 2004
Please
Guest wrote Don't Worry! I'll do something online
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by Brian Madden on October 22, 2004
I'm not exactly sure what yet. I'm thinking of maybe writing a 20-30 page "XP to MPS3" update, since there aren't that many differences. Of course if I write that update, it will be made available for free on the site.
Guest wrote What do security folks think about this?
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by an anonymous visitor on October 22, 2004
Is 2598 any better than 1494 from a security perspective? I thought opening any high numbered ports other than 80 or 443 for Internet or SSL traffic was a bad thing? How will customers concerned about security react to this?
Guest wrote RE:What do security folks think about this?
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by xs4citrix on October 22, 2004
They will wait for CSG 3.0 which will support this feature.
Guest wrote Port 2598 Comment
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by an anonymous visitor on October 22, 2004
Session Reliability via 2598 is primarily for internal users, as mentioned by others. Wireless LANs are primary. Session reliability is supposed to prevent the user from realizing their network connection was interrupted. For CSG users, I don't see it as too big a deal frankly. You still get reconnected - yes, after a wait - to where you left off if you lose network connectivity.
Guest wrote Enabling Session
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by Ian McCulloch on October 22, 2004
Is there a good way to test this say, using telnet or something like that?
Guest wrote No Title
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by Jeff Pitsch on October 22, 2004
I got this from a Citrix birdie at iForum. 2598 is used for the traffic but internally to the server, when the session reliability wrapper is stripped, it is passed back to 1494. In other words, Metaframe still uses 1494 but internally as opposed to over the network.

Also, if session reliability cannot be established it will automatically failover to 1494.
Guest wrote SR 1494/2598
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by CMan on October 25, 2004
If you take a look at a trace you will see as Jeff points out, all session reliability (CGP) traffic over 2598, but a netstat on the TS will show a loopback connection to 127.0.0.1:1494. 1494 is still tunneled withing the CGP traffic.

Another point worth mentioning is that session reliability now relies on the 'Citrix XTE Server' service, so if you bounce XTE you will lose all of your SR sessions, even more annoying as XTE is a dependency of IMA, so you cant restart IMA either without losing all SR connections.
Guest wrote Reply to "Enabling Session"
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by CMan on October 25, 2004
You cannot telnet to 2598 as nothing 'listens' on this port. A CGP (session reliability) session is negotiated during the initial XML conversation when you connect to an application, if SR is switched on for the Farm and the client appropriately configured then you will get a connection over 2598.
Guest wrote replaces the ICA keepalives
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by brian lilley on October 26, 2004
also worth noting...I understand that session reliability will also replace the ICAkeepalive settings. I assume that wrapped ICA over 2598 has its own heartbeat, or perhaps exactly the same heartbeat but brought up into the SR header.
And yes, 2598 simply loops back into 1494 I discovered after some confusion.
Guest wrote RE: SR 1494/2598
on Sun, Dec 12 2004 1:52 PM Link To This Comment
This message was originally posted by Leo van der Mee on November 8, 2004
This sounds like the SSLRelay solution to me. This also work externally on 443 and internally on 1494 or any port you specify. I do hope that session reliability is configurable. Cause I do want to be able to connect to my additional listener ports. Or can I make several ports for session reliability.
2598 pointing to 1494
2599 pointing to 1495
and so on...
Guest wrote I don't quite get it...
on Sun, Dec 12 2004 1:57 PM Link To This Comment
This message was originally posted by ps1650 on December 10, 2004
If network conectivity is lost on an XP 1.0 server the client will automaticly reconnect. I don't understand what is different about this new method.
Dave Johnson wrote but CSG3 doesn't support Session Reliability with PS4...
on Wed, Sep 21 2005 8:16 PM Link To This Comment
are they waiting for CSG4 *ahem* i mean SP1 to get it to work ?

check it:

http://www.brianmadden.com/forum/tm.asp?m=17848

-=dave
Guest wrote application on citrix server
on Mon, Jul 9 2007 3:57 AM Link To This Comment
is it true that on a citrix server you cannot have any other applications?
Guest wrote Re: application on citrix server
on Fri, Oct 17 2008 2:58 PM Link To This Comment
Lol

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.