Block ICA client access, in the Citrix XenApp / Presentation Server forum on BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.

Block ICA client access, in the Citrix XenApp / Presentation Server forum on BrianMadden.com

rated by 0 users
Not Answered This post has 0 verified answers | 14 Replies | 0 Followers

Not Ranked
Points 150
Richard posted on Thu, Feb 14 2008 8:23 AM
Hi -

Does anyone know of a way to block access to users connecting to our server via a ICA client? We want people to only use the WI and deny client connections...

Any ideas?

Thanks!!
  • | Post Points: 50

All Replies

Top 10 Contributor
Points 24,600
Hi,

Depends where you're users are connecting from.

To block users who are outside of your firewall from using the PN client, put your CSG/WI in a DMZ and only open port 443 between the public interface and the DMZ (ports 1494, 2598, 80 need to be opened only between DMZ and LAN where CPS servers reside).

If the users are on your LAN in an AD environment, you could:

- lock down your workstations to prevent software installation (don't grant Power Users/Admin)
- block downloading EXE/MSI files through your firewall
- implement software restriction policies

Just to mention a few...

Alan Osborne

President (MCSE, CCNA, VCP, CCA)

VCIT Consulting - Citrix/Terminal Services Remote Desktop Solutions for SMB

VCIT website My Blog

  • | Post Points: 20
Top 10 Contributor
Points 48,811
Are you talking about blocking custom connections? You can set the connection properties to only launch Published Applications, so that should prevent anyone from just establishing a connection to the server via ICA.

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 5
Not Ranked
Points 150
Damn I hit back on accident any my whole reply was gone...

None of those solutions will work because we have users internally and externally that are currently using the ICA client to connect to our current Citrix server. The external DNS is setup for citrix.companyname.com

That isn't going to change, so when the new Citrix server is put into place (which users will be only able to connect to the WI, we don't want them connecting to a virtual desktop ever), we don't want users accidentally still connecting via the ICA client.

Hope that makes sense, thanks everyone for your help!
  • | Post Points: 20
Top 10 Contributor
Points 48,811
The only difference between the two clients is the fact that the full PN client has a user interface. Beyond that, they all connect the same way. If I understand you, you are trying to prevent the full PN client from EVER contacting any of your servers, correct? But, you still want Web client users to get through?

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 5
Top 10 Contributor
Points 24,600
Hi Richard,

In future, please try to be clear in your posts as you had asked how to block the ICA client as you "want people to only use the WI and deny client connections..."

You have answered your own question - if you have existing users using the PN client for the foreseeable future, then the PN client will need to communicate with the CPS farm.

When planning your WI, you should implement CSG as well and place the server in the DMZ.

As Dan suggested, set the connection properties to allow published apps only via PN.

Cheers,

Alan Osborne

President (MCSE, CCNA, VCP, CCA)

VCIT Consulting - Citrix/Terminal Services Remote Desktop Solutions for SMB

VCIT website My Blog

  • | Post Points: 5
Not Ranked
Points 150
Richard replied on Fri, Feb 15 2008 10:06 AM
Ok maybe I am not explaining this correctly...and I apologize for that, I am trying to explain this the best I can, and will try again.

Currently - Users connect to our Citrix server (external DNS is citrix.companyname.com) using a custom ICA connection from their PN agent. They get a virtual desktop with a start menu, etc... There is no web interface available.

We want - Users to connect to our new Citrix server (we will do a cutover and external DNS will now point to the new Citrix server internally but it will still be citrix.companyname.com. The new citrix server we want to only be accessible using the WI.

Once we do the cutover, if some users on the outside (say teleworkers) still try to connect via their custom connection, it will work, which is what we don't want. We want so that it forces them to use the WI and if they try to connect to the server using a custom ICA connecting with their PN agent, it fails, or doesn't let them log in.

I really hope this all makes more sense.

Thanks
  • | Post Points: 20
Top 10 Contributor
Points 48,811
If you are using the PN Agent, then in thoery all you have to do is disable the PN Agent site, and it will render any PN Agents out there useless. Then they will have no choice but to use whatever wlternate method you provide to connect in, in this case the WI.

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 5
Not Ranked
Points 150
And how do you disable the PN Agent site?
  • | Post Points: 20
Top 10 Contributor
Points 48,811
If you don't need/want it any more, open the Access Suite Console, and delete the site.

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 5
Top 10 Contributor
Points 24,600
Hi Richard,

I think there is some confusion about the Citrix client you are using. Dan's comments were refering to the PNAgent. As you aren't currently using the web interface, there is no way that you are using the PNAgent - you are using the full PN ICA client.

Once you have:

- CSG/WI server setup in your DMZ
- Web client and/or PNAgent deployed to all workstations

Then you can prevent users from connecting via the PN ICA client by blocking all ports other than TCP port 443 on the public interface of your firewall. This will allow users to access Citrix via the web interface and/or the PNAgent (which also uses the web interface) because CSG will proxy connections and all traffic between client and CSG will be encapsulated in SSL packets.

Since the PN ICA client needs to talk directly to the CPS server farm via TCP port 1494 (or 2598 for SR), those remote PN ICA clients will no longer work and users will be forced to use the web interface (or PNAgent if you choose to deploy that).

Have a look at Patrick Rouse's articles on installing and configuring CSG/WI on a server in your DMZ:

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html

Also, see this article on deploying the PNAgent:

http://www.msterminalservices.org/articles/Configure-Citrix-Program-Neighborhood-Agent.html

Cheers,


Alan Osborne

President (MCSE, CCNA, VCP, CCA)

VCIT Consulting - Citrix/Terminal Services Remote Desktop Solutions for SMB

VCIT website My Blog

  • | Post Points: 5
Not Ranked
Points 150
You are correct, we are using the full ICA Client. However, we also want to block external users from getting to the server desktop using the ICA Client. Also we don't have Secure Gateway.

I don't know how else to say this, we just want the server to accept web interface connections, and block ica client connections, that is it.

Thanks and sorry this is becoming more of a headache than it should be.
  • | Post Points: 20
Top 10 Contributor
Points 48,811
Your only option at this point is to change the default ICA ports on all your servers, as well as your XML ports. Then, configure your WI to use those new ports, and keep them a VERY closely guarded secret. Also, turn off your servers' ability to respond to broadcasts so the full client can't request the information from the farm. It's going to be a lot of work!

Both clients normally use the same ports to communicate on, so there's no easy way to tell which one is trying to establish a connection.

And I would like to restate how important it would be to have CSG involved for any external connectivity.

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 5
Not Ranked
Points 150
Hey Dan -

We actually just figured out how to change all of the ports and it is working as it should. If I create a custom connection with the new port, it will work, but that is fine as we just won't tell anymore the port #.

Why is it so important to have a CSG vs just having a HTTPS?

Thanks again for everyone's help!
  • | Post Points: 20
Top 10 Contributor
Points 48,811
Without CSG, only your logon is encrypted. Once the connection is established to the Citrix server, via WI, it only runs at whatever encryption you set it for. Having it all SSL encrypted is WAY better, plus you don't need external IP addresses for every server you have, since the CSG also acts as a proxy.

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 5
Page 1 of 1 (15 items) | RSS