Enabling Citrix Access Management Console Traffic Across Firewall Policies

RoyATokeshi
June 12, 2006 2:14 pm

Citrix states in their article: CTX107050

Document ID: CTX107050, Created on: Jun 30, 2005, Updated: May 22, 2006

Products: Web Interface for Presentation Server 4.0, Citrix Presentation Server 4.0 for Microsoft Windows 2000, Citrix Presentation Server 4.0 for Microsoft Windows 2003, Citrix Password Manager 4.1, Citrix Presentation Server 4.0 x64 Edition, Advanced Access Control 4.0

Introduction

The Citrix Access Management Console provides a centralized management tool for the Citrix Access Suite family of products. The Access Management Console may often require access across various firewall policy zones to fully manage Citrix products such as Web Interface or the Access Gateway Enterprise. The policy zone may be between remote sites separated by a secure, policy restricted access list or from an internal, trusted management console to a Web Interface hosted in the DMZ.

The underlying system of communication for the Access Management Console is the Distributed Component Object Model (DCOM). DCOM allows an application to determine dynamically what port to use for communication from the client to server. While designed to remove the possibility of port conflicts between clients and servers, the default configuration of DCOM is to use UDP and connect to any port between 1024 and 65535. Some state-full firewalls do not keep state on UDP connections and the wide range of ports used in the default configuration of DCOM may conflict with a strong firewall policy.

DCOM communication can be restricted to TCP as well as a specified range of ports by modifying the registry on the server system hosting the DCOM based service. In the case of the Access Suite, this would be any Presentation Server, Web Interface, or Access Gateway Enterprise system managed from the Access Management Console.

Configuring Managed Servers

On a Windows 2000 server and later, the default should be to use TCP for DCOM. This should be verified on all servers that will be managed by the Access Management Console by confirming the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\DCOM Protocols

has the protocol value “ncacn_ip_tcp” listed first in the REG_MULTI_SZ data list.

To restrict the range of ports used in DCOM communication, the following must be performed on each server you manage with the Access Management Console:

1. Create the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet

2. Create a new REG_MULTI_SZ value HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\Ports

Each line is a set of port ranges. For example:
6000-7000
7001
8000-9000

3. Create a new REG_SZ value HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\PortsInternetAvailable = “Y”

4. Create a new REG_SZ value HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\UseInternetPorts = “Y”

Note: Assigning “N” to this registry value will indicate which ports will not be used by DCOM. Assigning a “Y” to this registry value will indicate which ports will be used in DCOM communication.

Finally, the firewall policies between the Access Management Console and the managed Citrix products will require the appropriate rules for Access Management Console operation.

Source Addr
Source Port
Destination Addr
Destination Port

Access Management Console
Any
Managed Servers
TCP 135

Access Management Console
Any
Managed Servers
Configured DCOM Port Range

Much of this information is detailed in the MSDN Library article Using Distributed COM with Firewalls.

Deployment Considerations

When specifying a range of DCOM ports, a conservative value would be 1,000. For example, specifying TCP 7000 – TCP 8000. A smaller range could be specified, but failing to allow for enough DCOM ports will prevent some connections from occurring. In many cases the error may not be apparent and reported as a generic connection error.

Before specifying the range of DCOM ports on a Presentation Server, it may be necessary to profile a server’s port usage with netstat or another port monitoring utility. The range of ports specified in the registry should not conflict with existing services and should allow for a busy or heavy DCOM dependent system. For a typical Presentation Server, this should not be a large issue since most Presentation Servers run client components and not a server side component hosting a DCOM interface.

The Access Management Console should run with Citrix Administrator account privileges. The assumption in any deployment scenario is that the workstation running the Access Management Console can properly authenticate the Citrix Administrator account and will require the appropriate access policy for authentication.

--------------------------------------------------------------------------------



Primary links

Custom Search

User login

Who's new

  • maczugaher
  • locksgydff
  • isotheces
  • ahundredyears7
  • Jacomijntjefu

Who's online

There are currently 0 users and 5 guests online.

KrissysCorner.com RuthSwensonLaw.com CreativeLizardProductions.com

DISCLAIMER:

None of this has anything to do with us, someone else is responsible for the entire thing, and we have no idea who or why. We do not know anything about it. It may be alien life forms for all we know: we haven't a clue. You cannot blame us for anything that may result from your visit. That was entirely your own personal choice, made by you of your own volition, and without our knowledge. We do not, after all, have any control over you and cannot by any stretch of the imagination be expected to accept or acknowledge, be it legally or morally, any accountability for decisions made by you on an independent basis, utilizing your own free will, and without our intervention. We are therefore in no way, shape, or form answerable to anyone for any consequences arising from the aforementioned or indeed any other actions, similar or otherwise, because it was not us that did, or did not do anything. It is not even remotely our fault, and we are in no way prepared or willing to accept any liability, not even slightly, ever. We are, in fact completely and utterly blameless, in that it is definitely not our concern, and no blame can possibly be laid at our doorstep, even if we had one, the possession of which we hereby reserve as being entirely our own free choice. The onus is not on us at all, and furthermore, never has been. The entire matter is wholly beyond our control, and completely out of our hands, each of which are washed scrupulously clean of the whole business. We are not accountable for anything at all, and we hereby categorically deny all responsibility for all that has ever, or will ever happen. Our innocence is therefore wholly beyond doubt and absolutely unimpeachable, and so cannot, under even the remotest or unlikeliest circumstances, be brought into question. By clicking either on a link on this site, clicking on a link that leads to this site, or by arriving at this site by natural or supernatural means, you are in effect accepting responsibility for the fact that it is all entirely your own fault, down to the most miniscule detail, and that you are wholly accountable for whatever outcome may arise as a consequence of the aforementioned action or actions insofar as they were undertaken personally by you on an entirely voluntary basis and without any persuasion, coercion or influence from any party or parties other than yourself. Don't come sniveling to us, we are only figments of your imagination. I also agree that if I am ever with a contributor to this website during mealtimes I agree to pay for any super-sizing of their meal, or at least a nice dessert or one of those foo-foo drinks with an umbrella or a monkey. By admitting to have seen the worthless spineless drivel on this website (also known as content)

I Agree Wholeheartedly and Without Reservation to the above. (Except maybe for that part about the monkey.)

All Your Base Are Belong To Us.

Soylent Green Is People!

Never make a bet with a Sicilian when Death is on the Line!

No. Really, I do agree.