Goodbye 1494, Hello 2598! Citrix Enhances ICA and Changes its Default Port

One of the “small” new features of Citrix MetaFrame Presentation Server 3.0 was something Citrix calls “session reliability.

One of the “small” new features of Citrix MetaFrame Presentation Server 3.0 was something Citrix calls “session reliability.” All most people know about this is that:

  • When enabled, it allows a session to automatically reconnect when network connectivity is lost
  • It requires a new TCP port: 2598.
  • It doesn’t work via Citrix Secure Gateway (this is fixed in MPS 4)
  • It requires ICA clients version 8.

I think there is a common misconception about port 2598 usage. Most people think that 2598 is an “add on” port that Citrix created to handle heartbeat type of communication between the server and the client and that this traffic is in addition to standard port 1494 ICA traffic. However, this is not true.

In environments where Session Reliability is enabled, TCP port 2598 replaces port 1494 as the port that the ICA protocol uses.

Why is this? In order to facilitate the additional header information that is needed in a Session Reliability environment, Citrix built a “wrapper” for ICA. Since a MetaFrame server has to peel off this new layer before accessing raw ICA information, Citrix decided to start using a new port.

At this point Citrix Secure Gateway only supports “traditional” ICA traffic, which means you cannot use Session Reliability when connecting through a gateway. (I know, I know... you only really need session reliability when you’re outside the firewall, which means you’d be using CSG. Don’t get me started...) Fortunately, the next version of CSG will support Session Reliability encapsulated ICA sessions in addition to traditional ICA data.

Any clients before version 8 will not use session reliability, and will therefore still connect on port 1494. Therefore you might have some 1494 and some 2598 sessions in mixed client environments. Of course external data will always be SSL encrypted traffic on port 443. But on the inside of the network, you’re going to see a lot less 1494 and a lot more 2598 over the next few years.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: