Product Documentation

Configuring Firewalls for the Secure Gateway

Jul 22, 2010

The Secure Gateway is typically deployed in the DMZ, so that traffic originating from a remote user device must traverse firewalls to get to the destination server in the secure network. It is, therefore, crucial to the Secure Gateway operation that firewalls are configured to allow network traffic traversal. Correct firewall configuration can help prevent disconnects and contribute toward better performance of the Secure Gateway.

Of particular concern with regard to firewall traversal is ICA/SSL traffic, a Citrix-proprietary protocol used for communications between user devices and computers running Citrix XenApp. Firewalls are not ICA-aware and do not make any distinction between HTTPS or ICA/SSL traffic. The ICA protocol is a real-time, interactive protocol that is very sensitive to latency and other network delays. Because ICA traffic typically consists of mouse-clicks and keystrokes, delays in their transmission could result in significantly degraded performance of the connection. In contrast, HTTPS traffic is less sensitive to latency or other types of network delays. Therefore, HTTPS connections to computers running Citrix XenApp are less affected than ICA connections to computers running Citrix XenApp.

To ensure that users experience usable and reliable sessions when using the Secure Gateway, Citrix recommends configuring your firewall to work in forwarding mode as opposed to proxy mode. Set the firewall to use its maximum inspection level. Configuring your firewall to use forwarding mode ensures that TCP connections are opened directly between remote user devices and the Secure Gateway.

However, if you prefer to configure your firewall to use proxy mode, ensure that your firewall does not:

  • Impose any time-outs on ICA/SSL sessions, including idle, absolute, and data traffic time-outs
  • Use the Nagle algorithm for ICA/SSL traffic
  • Impose any other specific restrictions or filters on ICA/SSL traffic