Customer Activities
Rapids Setup
-Firewall Settings

Connecting to Kern River Citrix Servers
For users who access Rapids via the "Launch Rapids" link on this website (the Kern River "standard" or "preferred" method), connectivity to the following servers is required to ensure reliable, uninterrupted access to the application:

TCP 1494 and HTTP 5713 are required for each of the above servers.

Once the above IP addresses and ports are open, you should be able to connect to Rapids from the Launch Rapids Launch Rapids link.

For users that access Rapids via an alternative "Custom ICA Connection" in their Program Neighborhood, Kern River recommends that a custom connection be created for each of the above servers, to ensure availability of the application in the event that a selected server is unavailable.

Citrix and HTTP on TCP5713
The Citrix TCP/IP client uses HTTP when searching for a Citrix server. Kern River has elected to use port 5713, one of the ports approved in "NAESB WGQ Electronic Delivery Mechanism Related Standards".

Connecting to the Citrix Server using TCP port 1494
Citrix TCP/IP client connections use the TCP (Transmission Control Protocol) feature of the TCP/IP suite of protocols for communication between the server and client. TCP is a connection-oriented, end-to-end protocol. It provides reliable, sequenced, and unduplicated delivery of bytes to a remote or local user.

Any application that uses TCP as the transport is assigned a unique port identification number called a TCP port. All TCP communications between the client and a server take place through this TCP port. The client side dynamically assigns a port number when there is a request for service. The server side of the application uses a port number that has been pre-assigned by the Internet Assigned Numbers Authority (IANA).

ICA (Independent Computing Architecture, the Citrix protocol) has been assigned port 1494 in the same way FTP uses port 21 or HTTP uses port 80. NAESB has approved the use of this port for use with Electronic Internet Implementation (EII) of Electronic Bulletin Board (EBB) applications.

The process of connecting to a Citrix server from an ICA client is actually very similar to an FTP connection. The following steps are only a local subnet connection to simplify this discussion, crossing routers or WANs bring the same factors and concerns to Citrix connection as any IP traffic would.

  • The client ARPs for the hardware address of the server so it can begin the connection.
  • Once the hardware address is known the client sends a TCP packet to TCP port 1494 (05d6 hex) on the server with a source TCP port that is a high TCP port (TCP Ports over 1023). The client TCP port is randomly selected from available ports over 1023 at the time of connection.
  • At this point the server normally accepts the request from the client and the connection is negotiated at 1494 inbound and whatever port the client requested outbound. These negotiated ports remain valid for the duration of the session.

Configuring a Firewall for Citrix TCP/IP

Citrix ICA traffic uses the registered port 1494 with the TCP protocol. If you have a Firewall or other TCP/IP network security protection, you need to configure it to allow information to pass to this port number.

Allowing ICA traffic through a Firewall generally entails defining a rule to allow port access for port 1494 traffic in the proper direction. If a user receives a "There is no route to the specified address" message, this is usually due to a Firewall not allowing port 1494 access.

Citrix's Internet technology allows users to run Citrix sessions over the Internet. This poses a challenge for maintaining Internet security because Citrix's ICA protocol is a relatively new networking protocol that runs over TCP/IP using registered port 1494. Firewalls do not understand ICA because it is not a "well known" networking protocol. Therefore, allowing the ICA protocol to pass through the Firewall becomes a configuration challenge. Some types of Firewalls can be configured to pass ICA, while others cannot. ICA uses dynamic port allocation much like the FTP protocol. The initial synchronization between the Citrix client and the CITRIX server occurs over port 1494, but the actual Citrix session occurs over a dynamically allocated port. For this reason, it might be necessary to allow connections over a range of TCP/IP ports through the given firewall. If required, these connections should only be allowed between the client and the server.

A user starts a session from the client. The client contacts the server over TCP port 1494. The server sends a message back to the client over TCP port 1494 saying "connect using port X" where X is any port number above 1023. This is called using TCP High Ports. All of the ports under 1023 are reserved for system use and "Well Known" protocols such as FTP, HTTP etc. The Citrix server will dynamically allocate a specific port above 1023 for each TCP/IP session. This is how we can support multiple sessions at one time. Each one has its own port. If the question is "How do I set this up?" the answer is to allow communications over TCP High Ports. Some firewalls allow you to do this by setting an option in the rules. For others you need to come up with some sort of work around that will not compromise security to any great degree. NOTE: the number of available "high ports" will depend on the individual Firewall's limitations.

Information concerning the port ALLOCATION ALGORITHIM
The issue over security is not addressed in the following statements, however, the NT TCP port allocation algorithm is used to index the ports from minimum user port (1025). A counter is maintained of the last one allocated and is incremented for each allocation. A check is then made to make sure no other connection is using this port, and if so, it goes to the next one. The NT TCP/IP port monitors how many other connections have been made to the box and ensures they are not random. Citrix does not change this at all, and uses standard NT TCP/IP. The maximum user port used by default is 5000, but a registry key "MaxUserPort" can allow this to the TCP/IP maximum of 65534. This is the same as if a Citrix were running an HTTP server. The remote browser would connect at 80, and the NT TCP/IP would allocate a new port in the range 1025-5000 that was not in use. The next user would get port +1 if this one is also not busy, etc. Citrix ICA does the same thing. The firewalls know about port 80, and will allow the allocation due to the connection. This type of rule needs to be enabled in a Firewall specific manner for ICA. All the information the Firewall needs should be in the connection setup messages that flow between the remote client on the other side of the firewall, and the host. These are TCP and not ICA messages. No knowledge of ICA is needed.