[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Citrix drops connection when we install rulebase



Torkel,

        What version of Citrix are you using? How are you launching the
applications through Citrix - are you using .ica files or Program
Neighborhood? I had the same problem for a while using .ica files with the
web client. I had to create two new services for ICA traffic which I called:

citrix_tcp (TCP Service)
Port: 1494
Source Port Range: 1024-65356
Protocol Type: URI
Fast Mode: Checked

citrix_udp (UDP Service)
Port: 1604
Source Port Range: 1024-65356

This solved some of the other problems I was having as well as stabilizing
Citrix connections during policy pushes. Not sure if you have this already
setup or not, but it may help.

Rich


-----Original Message-----
From: Torkel Mathisen [mailto:[email protected]]
Sent: Monday, October 07, 2002 9:59 AM
To: [email protected]
Subject: Re: [FW-1] Citrix drops connection when we install rulebase


Hi

I've read this paper, but I didn't think the users would actually
loose the connection. I know that FW-1 clears the connectiontable
and all that, but it also build it up again when the session
continues.

From the paper:

"When you push a new rulebase the state table is cleared.  However,
you will not lose any of your established connections while pushing a
new rulebase."

A bit futher down:

"... Firewall-1 maintains state of what connection were active prior
to the new rule push.  This old state table is maintained as
old_connections."

We don't have this problems with other protocols. Its just Citrix.
They actually loose the connection. When we use Windows terminal
client we don't get disconnected. I would guess the firewall builds
the connections up again and that this is transparent for the users.

With Citrix this doesn't happen. Its very frustrating for our users
when they are working with something and suddenly have to reconnect.
And possibly even get connected to a different server than before and
loose their work.

The sollution you refer to is clicking on "Fast Mode" for ICA (tcp 1494)?
What about icabrowser (udp 1494)?

Regards,
Torkel



> -----Original Message-----
> From: Lars Troen [mailto:[email protected]]
> Sent: 7. oktober 2002 15:20
> To: [email protected]
> Subject: Re: [FW-1] Citrix drops connection when we install rulebase
>
>
> Torkel,
> http://www.enteract.com/~lspitz/fwtable.html
>
> This is a nice paper describing what's going on. The state
> table is flushed when you install a policy, but if you read
> further you can see there's still hope. :)
>
> Lars
>
>
>
> > -----Original Message-----
> > From: Torkel Mathisen [mailto:[email protected]]
> > Sent: Monday, October 07, 2002 14:18
> > To: [email protected]
> > Subject: [FW-1] Citrix drops connection when we install rulebase
> >
> >
> > We have a problem here with Citrix being dropped when we install
> > the rulebase.
> >
> > The users have Citrix clients up at all time, but whenever we
> > install the rulebase on the firewall the connection is dropped
> > and they have to connect again.
> >
> > Anyone have any experience with this?
> >
> > We haven't done anything special in the firewall. Only a rule that
> > accept Citrix (1604 and 1494).
> >
> > Regards,
> > Torkel
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================