BM v3.7 on NW5.1SP5 setup with static NAT for Citrix Server, GWIA
agent & GW
WebAccess.(GW5.5ep)

Here are filters for citrix,

PROTOCOL-SERVICE IP, Citrix Data In, pid=TCP port=1494
srcport=1024-65535,
Allow Citrix Data In
PROTOCOL-SERVICE IP, Citrix Data Out, pid=TCP port=1024-65535
srcport=1494,
Allow Citrix Data Out
PROTOCOL-SERVICE IP, Citrix Browse O, pid=UDP port=1024-65535
srcport=1604,
Allow Citrix Browse Out
PROTOCOL-SERVICE IP, Citrix Browse I, pid=UDP port=1604
srcport=1024-65535,
Allow Citrix Browse In


It all works fine, except that anybody with a citrix client that knows
the
ipaddress can try to authenticate.

Now my question, can BM be set up so that it challenges the users for
login
credentials before they try to access the Citrix and WebAccess
Servers,
without causing any problem for incoming internet mail.

Or should I setup the VPN part of BM.


Jeff