NetScaler Firewall Rules

Last Modified: Jun 1, 2017 @ 6:04 pm

Navigation

This page contains the following tables:

💡 = Recently Updated

NetScaler Firewall Rules

From To Protocol / Port Purpose
Administrator machines NSIPs (and/or SNIPs) TCP 22
TCP 80
TCP 443
TCP 3010
TCP 3008
SSH and HTTP/SSL access to NetScaler configuration GUI. TCP 3008/3010 is Java and 3008 is used if traffic is encrypted. Java not needed in 10.5 build 57 and newer.
Administrator machines NetScaler SDX SVM, XenServer TCP 22
TCP 80
TCP 443
To administer NetScaler SDX
Administrator machines NetScaler Lights Out Module TCP 443
TCP 623
TCP 5900
CTX200367
NSIP
SNIP
DNS servers Ping
UDP 53
TCP 53
Ping is used for monitoring. Can be turned off by load balancing on the same appliance.
NSIPs
SNIP
NTP servers UDP 123 NTP
NSIPs
SNIP (NS 11+)
Syslog server UDP 514 Syslog
NSIPs callhome.citrix.com
cis.citrix.com
taas.citrix.com
TCP 443 Call Home
NSIPs (default)
SNIP
LDAP Servers(Domain Controllers) TCP 389 (Start TLS)
TCP 636 (Secure LDAP)
Secure LDAP requires certificates on the Domain Controllers. Secure LDAP enables password changes when they expire.SNIP if Load Balanced on same appliance
NSIPs LDAP Servers TCP 389
TCP 636
Monitor Domain Controllers
NSIPs (default)
SNIP
RADIUS servers UDP 1812 RADIUS is used for two-factor authentication. SNIP if Load Balanced on same appliance
SNIP RADIUS servers UDP 1812
Ping
Monitor RADIUS servers
NetScaler SDX Service virtual machine NSIPs Ping
TCP 22
TCP 80
TCP 443
Only if NetScaler VPX runs as a virtual machine on top of NetScaler SDX
Local GSLB Site IP
SNIP
GSLB Site IP (public IP) in other datacenter TCP 3009
TCP 3011
GSLB Metric Exchange Protocol between appliance pairs
NSIPs GSLB Site IP (public IP) in other datacenter TCP 22
TCP 3008
TCP 3010
GSLB Configuration Sync
Local GSLB Site IP
SNIP
All Internet Ping
UDP 53
TCP (high ports)
RTT to DNS Servers for Dynamic Proximity determination
SNIP StoreFront Load Balancing VIP TCP 443 NetScaler Gateway communicates with StoreFront
SNIP StoreFront servers TCP 80
TCP 443
TCP 808
StoreFront Load Balancing
NSIPs StoreFront servers TCP 80
TCP 443
Monitor StoreFront servers
StoreFront servers NetScaler Gateway VIP (DMZ IP) TCP 443 Authentication callback from StoreFront server to NetScaler Gateway.
SNIP Each individual Controller in every datacenter TCP 80
TCP 443
Secure Ticket Authorities.This cannot be load balanced.
TCP 443 only if certificates are installed on the Delivery Controllers.
SNIP All internal virtual desktops and session hosts (subnet rule?) TCP 1494
TCP 2598
UDP 1494
UDP 2598
UDP 16500-16509
UDP 3224-3324
HDX ICA
Enlightened Data Transport
Session Reliability
UDP Audio
Framehawk
All InternetAll internal users NetScaler Gateway VIP (public IP) TCP 80
TCP 443
UDP 443
Connections from browsers and native Receivers
DTLS for UDP Audio
All InternetAll internal DNS servers SNIP (public IP) UDP 53 ADNS(for GSLB)
Web logging server NSIPs TCP 3010 Web logging polls the NetScalers.
NSIPs Citrix Command Center or other SNMP Trap Destination UDP 161
UDP 162
SNMP Traps
NSIPs Citrix Insight Center or other AppFlow Collector UDP 4739 AppFlow
  • Authentication traffic uses NSIPs by default. This can be changed by creating a local Load Balancing Virtual Server on the same appliance and sending authentication traffic through the load balancer.
  • If a NetScaler will load balance, a monitor is required to determine if the service is up or not. Several of the monitors run as Perl scripts, which require connectivity from the NSIPs. But actual load balancing traffic can use SNIP as the source IP.
  • DNS uses ping for monitoring. This can be disabled by creating a local Load Balancing Virtual Server on the same appliance and sending DNS traffic through the load balancer. 
  • In a NetScaler with a dedicated mgmt network and default route is on a different data network, for traffic that is normally sourced by NSIP, if NetScaler can’t find a route on the NSIP network then NetScaler will use SNIP instead. To revert to NSIP as source, add a static route on the NSIP network.

NetScaler MAS Firewall Rules

NetScaler Management and Analytics System (NetScaler MAS) is a combination of Command Center and Insight Center.

From To Protocol / Port Purpose
NetScaler MAS NSIPs Ping
TCP 22
TCP 80
TCP 443
Discovery and configuration of NetScaler devices
NSIPs NetScaler MAS UDP 4739 AppFlow
NSIPs
SNIP
NetScaler MAS TCP 5557 ULFD (unified logging format)
NSIPs NetScaler MAS UDP 161
UDP 162
SNMP Traps
CPX Instances NetScaler MAS TCP 27000
TCP 7279
Citrix Licensing
Administrator Machines NetScaler MAS TCP 22
TCP 80
TCP 443
Web-based GUI
XenDesktop Controllers NetScaler MAS TCP 443 Insight Integration with Director
NetScaler MAS LDAP(S)
LDAP(S) VIP
TCP 389
TCP 636
LDAP authentication
NetScaler MAS Mail Server TCP 25 Email alerts
NetScaler MAS NTP Server UDP 123 NTP
NetScaler MAS Syslog Server UDP 514 Syslog

Command Center Firewall Rules

From To Protocol / Port Purpose
NSIPs Citrix Command Center / NMAS UDP 161
UDP 162
SNMP Traps
Citrix Command Center SQL Server TCP 1433
UDP 1434
Other static port
SQL database
Citrix Command Center / NMAS NSIPs TCP 22
UDP 161
UDP 162
SSH to configure the appliance.SNMP to poll the appliance.
SNMP ping.
Citrix Command Center / NMAS Mail server TCP 25 SMTP
Citrix Command Center / NMAS Domain Controllers TCP 389
TCP 636
LDAP
LDAPS
Administrator Machines Citrix Command Center TCP 8443
TCP 3389
Web-based GUI
RDP

Insight Center Firewall Rules

From To Protocol / Port Purpose
Insight Center NSIPs Ping
TCP 22
TCP 80
TCP 443
Configures NetScaler to send AppFlow to Insight Center
NSIPs Insight Center UDP 4739 AppFlow
NSIPs
SNIP
Insight Center TCP 5557 ULFD (unified logging format) 💡
Administrator Machines Insight Center TCP 80
TCP 443
Web-based GUI
XenDesktop Controllers Insight Center TCP 443 Insight Integration with Director
Insight Center LDAP(S)
LDAP(S) VIP
TCP 389
TCP 636
LDAP authentication to Insight Center
Insight Center Mail Server TCP 25 Email alerts
Insight Center NTP Server UDP 123 NTP
Insight Center Syslog Server UDP 514 Syslog

XenApp/XenDesktop Firewall Rules

From To Protocol / Port Purpose
Administrator machines Controllers TCP 80/443
TCP 3389
PowerShell
RDP
Controllers SQL Server TCP 1433
UDP 1434
Other static port
SQL database
Controllers vCenter TCP 443 vCenter
Controllers SCVMM TCP 8100 SCVMM
Controllers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
StoreFront servers Citrix Delivery Controllers TCP 80
TCP 443
XML
Secure Ticket Authority
StoreFront servers StoreFront servers TCP 808 Subscription Replication
StoreFront servers Trusted Domain Controllers TCP 135
TCP 49151-65535
RPC  💡
Administrator machines StoreFront servers TCP 3389 RDP
Administrator machines Citrix Licensing TCP 8082-8083
TCP 80
TCP 3389
Web-based administration GUI
RDP
Controllers All VDAs TCP 80 Brokering
All VDAs Controllers TCP 80 Registration
All VDAs Global Catalogs
(Domain Controllers)
TCP 3268 Registration
All Receivers
(Internal)
StoreFront SSL Load Balancing VIP TCP 80
TCP 443
Internal access to StoreFront
All Receivers NetScaler Gateway VIP TCP 80
TCP 443
External (or internal) access to NetScaler Gateway
All Receivers
(Internal)
All VDAs TCP 1494
TCP 2598
UDP 16500-16509
UDP 3224-3324
ICA/HDX
Session Reliability
UDP Audio
Framehawk
Administrator machines Director TCP 3389 RDP
Administrator machines
Help Desk machines
Director TCP 80
TCP 443
Web-based GUI
Director Controllers TCP 80
TCP 443
Director
Administrator machines
Help Desk machines
All VDAs TCP 135
TCP 3389
Remote Assistance

Also see Microsoft Technet Which ports are used by a RDS 2012 deployment?  💡

Provisioning Services Firewall Rules

From To Protocol / Port Purpose
Provisioning Servers SQL Server TCP 1433
UDP 1434
Other static port
SQL database for Provisioning Services
Provisioning Servers Provisioning Servers SMB File copy of vDisk files
Provisioning Servers Provisioning Servers UDP 6890-6909 Inter-server communication
Provisioning Servers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
Provisioning Servers Controllers TCP 80
TCP 443
Setup Wizards to create machines
Provisioning Servers vCenter TCP 443 Setup Wizards to create machines
Provisioning Servers Target Devices UDP 6901
UDP 6902
UDP 6905
Provisioning Services Console Target Device power actions (e.g. Restart)
Administrator machines Provisioning Servers TCP 3389
TCP 54321
TCP 54322
TCP 54323  💡
RDP
SOAP
Controllers Provisioning Servers TCP 54321
TCP 54322
TCP 54323  💡
Add machines to Catalog
Target Devices DHCP Servers UDP 67 DHCP
Target Devices KMS Server TCP 1688 KMS Licensing
Target Devices Provisioning Servers UDP 69
UDP 67/4011
UDP 6910-6969
TFTP
PXE
Streaming (expanded port range)

35 thoughts on “NetScaler Firewall Rules”

  1. Hi All, I have setup netscaler 11.1 vpx on AWS and everything is fine but when launching applications it doesn happen. From directly storefront its working fine. I just came to know that 2598/1494 is getting reset itself by delivery controller. Every ports are allowed but still these two ports are getting reset itself. Please suggest if you have any solutions.

  2. Hi Carl,

    We are using Netscaler MPX5500 in our citrix environment. Our environment is secure through SSL VPN and WAF. Client . Client wants to present the StoreFront directly out to the internet and and therefore relieve ourselves of the dependency on the NetScalers.What would we gain and what would we lose? My concern here is how we secure our environment without netscaler ? How we do the encryption to secure https connections without netscaler.

  3. Hi Carl

    Thanks for all information.

    In our environment we are able to telnet( on 3009, 3010, 3011 and 22) from Site A to Site B but vice versa is not happening for GSLB setup. As per Network guy GSLB services are not running on Site A as they are unable to telnet from FW(in btw SiteA and SiteB) to SiteA. Whereas same is happening from FW to SiteB. However we have installed the GSLB service properly while configuring. I have also tested to telnet on self GSLB Site A IP via same GSLB ports and fails which indicates some issues in GSLB services in Site 1 but unable guess where it could be. Please can you help me with a hint or possible configuration to check?

    Thanks in advance.

  4. Hi carl, What is the difference between Local GSLB Site IP SNIP and SNIP? Firewall ports mentioned in this blog are for SNIP? I have a requirement to setup GSLB.

  5. Hey Carl,

    This was GREAT help for me.

    Quick question though, I have a LAB with a 3 legged scenario: 1 Subnet for Management (NSIPs), One subnet for DMZ, and another Subnet for backend services (LAN).

    In this case, since I am isolating management, I notice that the source for the perl scripts is the SNIP, not the NSIPs. Is this normal behavior?

  6. Hey Carl, thanks for the Information.

    I have one Questions for NetScaler VPN.

    Which Firewall Ports are needed for the VPN Setup? My NetScaler is in DMZ with a VPN vServer. Is only Port 443 to my StoreFront from my SNIP needed? Because I think “Any” from my SNIP to my LAN cannot be a Resolution…

    Thanks an best Regards
    Mark

    1. What traffic is going across the VPN tunnel?

      If you aren’t doing Intranet IPs, then everything comes from the SNIP and SNIP needs access to everything the users need to access.

      If you are doing Intranet IPs, then you open firewall from the Intrnaet IP to the whatever the users need to access.

    1. Are you asking for a firewall rule if you’re using a different TFTP server than the one installed on PvS?

  7. cannot rollback the fw rule now…customer has strict change mgmt for that..(read “the process to heavy so will leave it there for now) but this must be tested elsewhere

  8. Access from StoreFront nodes version 3.6 to NS LB VIP needs to be open on port 443 and https.
    Found out this the hard way…it seems the SF nodes need access to /discover url. I am not sure this has to do with the new 3.6 feature “no need for hostfile modification” stuff but worth mentioning maybe in the FW rules

  9. Hi Carl,
    great article! But I think there is something missing in the PVS section.

    You wrote:

    TargetDevices -> Provisioning Servers
    UDP 69 – TFTP
    UDP 4011 – PXE
    UDP 6890-6969 – Streaming

    But shouldn’t it be more like this:

    TargetDevices -> Provisioning Servers
    UDP 69 – TFTP
    UDP 4011/67 – PXE/Broadcast
    UDP 6910 – Target Device logon at PVS
    UDP 6910-6930 – streaming service (default with 8 threads per port)
    UDP 6969 – Two Stage Boot (If ISO or USB is used)

    And also I’m missing the PVS to PVS communication:

    UDP 6890-6909 – PVS Inter-Server communication

    Please correct me if I’m wrong

    Best Regards,
    Sebastian

    1. Isn’t 67 only needed for DHCP on PvS? If DHCP is separate from PvS, then isn’t it 4011?

      6890-6969 should encompass all of the ports. I always increase the default TD ports from 6910-6968. But if 6890-6909 is only used between servers then I could clarify that.

      1. Hi Carl,
        actually it’s the other way round.
        Port 4011 will be used if PXE is on the same machine as DHCP. And port 67 is used if it’s separated (PXE Broadcast). I just added port 67 explicit for the sake of completeness. 🙂

        And yes, 6890-6909 is only used for inter-pvs communication.
        Didn’t notice that you wanted to point out the reconfiguration for the streaming ports – sorry!.
        But you’re right – it’s a good thing to do! Maybe (to prevent misconfiguration) you should point that the range has to be manually extended and otherwise the configured ports won’t be used.

        Best Regards,
        Sebastian

  10. Hi Carl,

    Can we have LDAP and XML service servers in different subnet, from SNIP? I am able to ping the Domain Controller and CITRIX Controller Servers from the NetScaler, however I believe that goes through the NetScaler IP.

    If yes, how can we configure the communication between SNIP to LDAP, DNS & XML Service? Using Gateway Routes?

    Regards,
    Swapnil

    1. If the NetScaler is not connect to the same subnet as the back-end servers then NetScaler will send the packets through a router. If you only have one connected interface then it will go through the default gateway. If you have multiple subnets then you need to configure the routing table correctly.

  11. Hi Carl, thanks for the article.
    What would be the required ports to acces the SVM GUI from and the administrator´s machine?, and the same to the Xenserver IP?
    And also, does the Netscaler GUI versión 11 still requieres the java ports?

    1. You would want 22, 80, and 443 to access SVM and XenServer.

      In 11 and newer, Java is not needed from the administrator machine. But still needed in 10.5 build 56 and older.

  12. Hello CArl.

    Thanks for article. I need a help for NS. Netscaler MPX appliiance version 11 or version 10.5.6 can configure as a layer 4 firewall. So i need a link or document from citrix website that Netscaler ‘s certfification approved by global authorities? Thanks for help.

    1. I don’t think NetScaler is intended as a L4 firewall. It has ACLS and other security features but that’s not the purpose of the appliance. I always put firewalls in front my NetScalers.

  13. hi,
    which source IP (on the netscaler) and target port are used for a CERT (smartcard) authentication server policy ?

    thanks

    1. A CERT policy should be looking at the contents of the smart care certificate to retrieve the username. I don’t think it communicates with anything.

      The SSL vServer would have Client Certificates enabled. This compares the client certificate signature with a CA certificate that is bound to the SSL vServer. Optionally, you can configure CRL checking (direct or through OCSP) that would require communication with external servers. I’m guessing it uses the SNIP but I’m not sure. If you are able to set this up in a lab, run nstcpdump.sh on the NetScaler to see which IP it is using for CRL checking.

  14. Hi,
    very good article, I think that DNS by default use NSIP (it’s like the authentication flow). Netscaler uses SNIP only in case of LB internal rules….

    1. To verify the source IP, SSH to NetScaler, run shell, run nstcpdump.sh port 53. Do something on NetScaler to cause a DNS query and you’ll see the Source IP.

Leave a Reply