Firewalls and proxy servers – configuration tips

Landonline uses the Citrix ICA protocol to communicate over the Internet between individual computers and the Landonline server.

Note:

This page has been written for network administrators

If your computer is separated from the Internet by a firewall, you may need to arrange for the firewall rules to be changed to allow Citrix ICA traffic to pass. Please discuss with your IT support staff or service provider.

Purpose

  • Describe the requirements for running Landonline via a firewall.
  • Provide firewall administrators with the necessary details to make firewall configuration changes.

Background

  • The Citrix session is initiated from a browser.
  • Initial authentication to the Landonline server occurs over an SSL/TLS1 (HTTPS) connection.
  • The ICA connection parameters are then passed back to the browser to launch the ICA session.
  • This approach avoids the need for any configuration settings to be made on the client computer, and allows the session to be allocated to any one of a set of servers for load balancing.

Ports and protocols

  • In order to access Landonline, you require TLS (Transport Layer Security) on Port 443 (TCP protocol, inbound and outbound).
  • In restricted environments, users with 1-year Digital Certificates may need to open pinholes in their firewall for Landonline IP addresses:
    • 202.175.131.15
    • 202.175.131.14
  • In restricted environments, users with 2-year Digital Certificates may need to open pinholes in their firewall for Landonline IP addresses:
    • enrolllinzlol.managed.entrust.com 829
    • linzlolldap.managed.entrust.com 389
    • 144.66.99.25 443
    • 144.66.99.25 80
    • 144.66.99.9
  • LINZ reserves the right to change or extend the range of IP addresses used in the future.

Proxy servers

  • The requirements for a proxy server based firewall to pass ICA traffic are the same as described above.
  • However, depending on the type of proxy server this may not be supported.
  • You will need to investigate the capabilities of your particular product, although some hints for using Microsoft Proxy Server are provided below.
  • The Citrix ICA client supports SOCKS proxies using both SOCKS level 4 and level 5.
  • However we are aware of some difficulties being experienced with a level 4 SOCKS server, so would recommend level 5 if available.

Practical Hints

  • Microsoft Proxy Server supports three proxy services:
    • The web proxy service which supports common web protocols such as HTTP and FTP only
    • The SOCKS proxy service
    • The Winsock proxy service which supports transparent proxying of all TCP and UDP traffic, from Windows client PCs only.
  • The Winsock proxy service works well with Landonline. The SOCKS proxy service should also work.
  • To use the Winsock proxy service, the service must be enabled on the proxy server and appropriate permissions must be granted to the user. The Winsock proxy client software must also be installed and enabled on the user’s PC, as follows:
    • Access the share on your proxy server at \\servername\mspclnt
    • Run Setup.exe
    • Reboot the PC.
  • Note that enabling the Winsock proxy client may allow other classes of Internet access besides ICA traffic.
  • Consult your proxy server documentation for instructions on restricting Winsock proxy access to specific protocols, if required.

1 SSL/TLS refers to secure communication across the internet. While SSL (Secure Sockets Layer) has been superseded by Transport Layer Security (TLS) protocols, the term SSL is still commonly referred to. Landonline currently supports TLS 1.2.

Last updated