How to Publish a Citrix Server Behind ISA Server

This article describes how to publish a Citrix Metaframe version 1.8 server by using Internet Security and Acceleration (ISA) Server so that external ICA clients can connect and run ICA sessions.

The following steps describe how to configure the ISA Server and the Citrix server. The configuration on the ISA Server requires the creation of a packet filter, a protocol definition, and a server publishing rule. The Citrix server is configured by running a command-line utility.

How to Configure ISA Server

Create a New Protocol Definition That Is Named "Citrix ICA TCP"

1. Start the ISA Management console, open the Policy Elements container, right-click Protocol Definitions, point to New, and then click Definition. Note that if an Enterprise policy is applied to your array, you must create the protocol definition at the Enterprise level.
2. Name the protocol definition Citrix ICA TCP, and then click Next.
3. Type 1494 in the Port number box. Leave the "Protocol type" setting as TCP. Change the "Direction" setting to Inbound, and then click Next.
4. Leave the "Do you want to use a secondary connection." setting at No, click Next, and then click Finish.

Server Publish the Citrix Metaframe Server

1. Start the ISA Management console, open the publishing container, right-click Server Publishing rules, point to New, and then click Rule.
2. Name the rule that you are creating (for example, "Citrix Server"), and then click Next.
3. Type the address of your internal Citrix Server under Internal server, type the appropriate address for the external interface on the ISA server under ISA Server, and then click Next.
4. Click Citrix ICA TCP, and then click Next.
5. Select the appropriate client set. Note that if the server is used by computers that are on the Internet, Any request is the best choice.
6. Click Next, and then click Finish.
7. Restart the Firewall service.

How to Configure the Citrix Metaframe Server

The Citrix server needs to be a SecureNAT client. That means that you do not install the firewall client on the Citrix server; instead, configure the default gateway to point to the internal interface of the ISA server and configure a DNS address on the Citrix server that can resolve Internet names.

In addition, on the Citrix server you must set an alternate address for the ICA sessions. First you must determine the correct ISA external address, and then type the altaddr /set w.x.y.z command from a command prompt on the Citrix server, where w.x.y.z is the external IP address of your ISA server. The Citrix server must be restarted after you run this command. If you only have one IP address that is bound to the external interface of the server, use that address. If you have multiple IP addresses that are bound to the external interface of the ISA server, type the one you used when you created the server publishing rule earlier.

When clients on the Internet want to connect to your Citrix server by using an ICA client, they must connect to the external IP address on the ISA server that is used in the server publishing rule. This is also the same IP address that you specified when you ran the altaddr command.