11-11-2010 11:57 AM
I have a policy that allows traffic to my Citrix server using application objects Citrix, Citrix-jedi, web-browsing, and ssl. The Citrix object includes 2598 tcp (session reliability) as a standard port. I originally had service set to application-default, but I noticed that traffic on 2598 is being shown as "unknown-tcp" application, and is being blocked, so I changed service to any. Session reliability (2598) connections are still being blocked. What's the best way to fix this so session reliability works?
Thanks,
Derek Harris
11-11-2010 06:59 PM
Derek.
You could ptu in place an Application Override for the session reliability port, but first you should be sure that's actually the problem.
I had a similar problem recently when I moved my Citrix Metaframe front end server from one IP link behind an old Checkpoint firewall to a new one behind the Palo Alto firewalls - and the issue turned out to be a mis-match between the session reliability being enabled on one end and not the other end (between the front end and the server farm).
I also had to put in an applicatuion override for the Citrix STA (Secure Ticket Authority) on port 8080 because that didn't match - but the Session reliability went away once I got the reliability configured on both ends.
Cheers
11-11-2010 06:59 PM
Derek.
You could ptu in place an Application Override for the session reliability port, but first you should be sure that's actually the problem.
I had a similar problem recently when I moved my Citrix Metaframe front end server from one IP link behind an old Checkpoint firewall to a new one behind the Palo Alto firewalls - and the issue turned out to be a mis-match between the session reliability being enabled on one end and not the other end (between the front end and the server farm).
I also had to put in an applicatuion override for the Citrix STA (Secure Ticket Authority) on port 8080 because that didn't match - but the Session reliability went away once I got the reliability configured on both ends.
Cheers
11-12-2010 09:04 AM
Session reliability is enabled on the server (single server install, <40 clients), and I have confirmed that it works on the LAN. I just put an application override policy in place, so I'll see if that takes care of it. I'll let you know...
Thanks!
11-12-2010 09:46 AM
It looks like it's working now. It's no longer showing "unknown-tcp," but occasionally shows "insufficient-data." It's allowing the packets now, so thanks for your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
