This document explains how to configure a Citrix Extranet client for ICA connectivity where the client is behind a company proxy server and the MetaFrame server is on the other side of the proxy server.

The Citrix Extranet Client supports the following types of proxying, where the client is behind a proxy server:

    • FTP proxying, with the FTP Proxy tab

    • HTTP proxying, with the Web proxy tab

    • SSL tunneling, with the Generic proxy/FTP proxy/Web proxy tab and the "Use the SSL tunneling proxy defined on the SSL proxy tab" option

The Citrix Extranet Client does not support SOCKS proxying, because it is only a SOCKS server (for the ICA Client) not a SOCKS client (for another SOCKS proxy server).

For ICA connectivity through a client-side proxy server, use SSL tunneling. If your Citrix Extranet Clients are behind a Proxy server that supports SSL tunneling, follow these steps:

    1. In the Extranet client, select View > Options.

    2. On the Generic Proxy tab, enable the checkbox labeled "Use the SSL tunneling proxy defined on the SSL proxy tab."

    3. On the SSL Proxy tab, select the "Connect through proxy server" menu and enter the address and port (usually 443) for your proxy server.

Example: Internet Explorer Proxy Settings

In Microsoft Internet Explorer, select Tools > Internet Options. Select the Connections tab and then click Settings to configure the Proxy server(s) to be used.

If you enable the Use a proxy server checkbox and select Advanced, the Proxy Settings dialog box is displayed. The first five fields are:


    This is for http:// URLs. HTTP proxying is a standard feature of the HTTP protocol (RFC 2616).

    HTTP proxying happens on port 80 by default: 8080 and 3845 are other common port numbers for HTTP proxying.

    Proxy servers can and usually do provide access control and caching for HTTP proxying.

2. Secure

    This is for https:// URLs. SSL tunneling is a widely-implemented extension to the HTTP protocol (the CONNECT method mentioned in RFC 2616) - there was an Internet Draft but it has never itself been an RFC. SSL tunneling happens on port 443 (by default).

    SSL tunneling isn't true proxying; the proxy server cannot decrypt SSL traffic. SSL tunneling merely allows the Web browser to punch a hole through the proxy server. SSL tunneling can be used for any protocol, not just HTTPS.

Proxy servers just provide access control for SSL tunneling, not caching.

3. FTP

    This is for ftp:// URLs. FTP proxying uses the same port as HTTP proxying. In FTP proxying, the Web browser uses HTTP to communicate with the proxy server; the proxy server then uses FTP to communicate with the FTP server. So, true protocol conversion is involved here.

    Proxy servers can and usually do provide access control and caching for FTP proxying.

4. Gopher

    This is for gopher:// URLs. The gopher protocol is no longer used widely.


    This for all URLs. SOCKS proxying uses the SOCKS protocol, and uses port 1080 (by default).

    Proxy servers can and usually do provide access control for SOCKS proxying.

Most proxy servers can and do support all of these mechanisms (the Microsoft Proxy Server does). Therefore, there is a checkbox labeled "Use the same proxy server for all protocols," but the mechanisms use different ports and different protocols. Trying to put SOCKS through an SSL tunnel, or SSL tunneling through a SOCKS port will be rejected by the proxy server.