NetScaler Firewall Rules

Last Modified: Sep 14, 2017 @ 6:47 pm

Navigation

See CTX101810 Communication Ports Used by Citrix Technologies

💡 = Recently Updated

NetScaler Firewall Rules

From To Protocol / Port Purpose
Administrator machines NSIPs (and/or SNIPs) TCP 22
TCP 80
TCP 443
TCP 3010
TCP 3008
SSH and HTTP/SSL access to NetScaler configuration GUI. TCP 3008/3010 is Java and 3008 is used if traffic is encrypted. Java not needed in 10.5 build 57 and newer.
Administrator machines NetScaler SDX SVM, XenServer TCP 22
TCP 80
TCP 443
To administer NetScaler SDX
Administrator machines NetScaler Lights Out Module TCP 443
TCP 623
TCP 5900
CTX200367
NSIP
SNIP
DNS servers Ping
UDP 53
TCP 53
Ping is used for monitoring. Can be turned off by load balancing on the same appliance.
NSIPs
SNIP
NTP servers UDP 123 NTP
NSIPs
SNIP (NS 11+)
Syslog server UDP 514 Syslog
NSIPs callhome.citrix.com
cis.citrix.com
taas.citrix.com
TCP 443 Call Home
NSIPs (default)
SNIP
LDAP Servers(Domain Controllers) TCP 389 (Start TLS)
TCP 636 (Secure LDAP)
Secure LDAP requires certificates on the Domain Controllers. Secure LDAP enables password changes when they expire.SNIP if Load Balanced on same appliance
NSIPs LDAP Servers TCP 389
TCP 636
Monitor Domain Controllers
NSIPs (default)
SNIP
RADIUS servers UDP 1812 RADIUS is used for two-factor authentication. SNIP if Load Balanced on same appliance
SNIP RADIUS servers UDP 1812
Ping
Monitor RADIUS servers
NetScaler SDX Service virtual machine NSIPs Ping
TCP 22
TCP 80
TCP 443
Only if NetScaler VPX runs as a virtual machine on top of NetScaler SDX
Local GSLB Site IP
SNIP
GSLB Site IP (public IP) in other datacenter TCP 3009
TCP 3011
GSLB Metric Exchange Protocol between appliance pairs
NSIPs GSLB Site IP (public IP) in other datacenter TCP 22
TCP 3008
TCP 3010
GSLB Configuration Sync
Local GSLB Site IP
SNIP
All Internet Ping
UDP 53
TCP (high ports)
RTT to DNS Servers for Dynamic Proximity determination
SNIP StoreFront Load Balancing VIP TCP 443 NetScaler Gateway communicates with StoreFront
SNIP StoreFront servers TCP 80
TCP 443
TCP 808
StoreFront Load Balancing
NSIPs StoreFront servers TCP 80
TCP 443
Monitor StoreFront servers
StoreFront servers NetScaler Gateway VIP (DMZ IP) TCP 443 Authentication callback from StoreFront server to NetScaler Gateway.
SNIP Each individual Controller in every datacenter TCP 80
TCP 443
Secure Ticket Authorities.This cannot be load balanced.
TCP 443 only if certificates are installed on the Delivery Controllers.
SNIP All internal virtual desktops and session hosts (subnet rule?) TCP 1494
TCP 2598
UDP 1494
UDP 2598
UDP 16500-16509
UDP 3224-3324
HDX ICA
Enlightened Data Transport
Session Reliability
UDP Audio
Framehawk
All InternetAll internal users NetScaler Gateway VIP (public IP) TCP 80
TCP 443
UDP 443
Connections from browsers and native Receivers
DTLS for UDP Audio
All InternetAll internal DNS servers SNIP (public IP) UDP 53 ADNS(for GSLB)
Web logging server NSIPs TCP 3010 Web logging polls the NetScalers.
NSIPs Citrix Command Center or other SNMP Trap Destination UDP 161
UDP 162
SNMP Traps
NSIPs Citrix Insight Center or other AppFlow Collector UDP 4739 AppFlow
  • Authentication traffic uses NSIPs by default. This can be changed by creating a local Load Balancing Virtual Server on the same appliance and sending authentication traffic through the load balancer.
  • If a NetScaler will load balance, a monitor is required to determine if the service is up or not. Several of the monitors run as Perl scripts, which require connectivity from the NSIPs. But actual load balancing traffic can use SNIP as the source IP.
  • DNS uses ping for monitoring. This can be disabled by creating a local Load Balancing Virtual Server on the same appliance and sending DNS traffic through the load balancer. 
  • In a NetScaler with a dedicated mgmt network and default route is on a different data network, for traffic that is normally sourced by NSIP, if NetScaler can’t find a route on the NSIP network then NetScaler will use SNIP instead. To revert to NSIP as source, add a static route on the NSIP network.

NetScaler MAS Firewall Rules

NetScaler Management and Analytics System (NetScaler MAS) is a combination of Command Center and Insight Center.

From To Protocol / Port Purpose
NetScaler MAS NSIPs Ping
TCP 22
TCP 80
TCP 443
Discovery and configuration of NetScaler devices
NSIPs NetScaler MAS UDP 4739 AppFlow
NSIPs
SNIP
NetScaler MAS TCP 5557 ULFD (unified logging format)
NSIPs NetScaler MAS UDP 161
UDP 162
SNMP Traps
CPX Instances NetScaler MAS TCP 27000
TCP 7279
Citrix Licensing
Administrator Machines NetScaler MAS TCP 22
TCP 80
TCP 443
Web-based GUI
XenDesktop Controllers NetScaler MAS TCP 443 Insight Integration with Director
NetScaler MAS LDAP(S)
LDAP(S) VIP
TCP 389
TCP 636
LDAP authentication
NetScaler MAS Mail Server TCP 25 Email alerts
NetScaler MAS NTP Server UDP 123 NTP
NetScaler MAS Syslog Server UDP 514 Syslog

Command Center Firewall Rules

From To Protocol / Port Purpose
NSIPs Citrix Command Center / NMAS UDP 161
UDP 162
SNMP Traps
Citrix Command Center SQL Server TCP 1433
UDP 1434
Other static port
SQL database
Citrix Command Center / NMAS NSIPs TCP 22
UDP 161
UDP 162
SSH to configure the appliance.SNMP to poll the appliance.
SNMP ping.
Citrix Command Center / NMAS Mail server TCP 25 SMTP
Citrix Command Center / NMAS Domain Controllers TCP 389
TCP 636
LDAP
LDAPS
Administrator Machines Citrix Command Center TCP 8443
TCP 3389
Web-based GUI
RDP

Insight Center Firewall Rules

From To Protocol / Port Purpose
Insight Center NSIPs Ping
TCP 22
TCP 80
TCP 443
Configures NetScaler to send AppFlow to Insight Center
NSIPs Insight Center UDP 4739 AppFlow
NSIPs
SNIP
Insight Center TCP 5557 ULFD (unified logging format)
Administrator Machines Insight Center TCP 80
TCP 443
Web-based GUI
XenDesktop Controllers Insight Center TCP 443 Insight Integration with Director
Insight Center LDAP(S)
LDAP(S) VIP
TCP 389
TCP 636
LDAP authentication to Insight Center
Insight Center Mail Server TCP 25 Email alerts
Insight Center NTP Server UDP 123 NTP
Insight Center Syslog Server UDP 514 Syslog

XenApp/XenDesktop Firewall Rules

From To Protocol / Port Purpose
Administrator machines Controllers TCP 80/443
TCP 3389
PowerShell
RDP
Controllers SQL Server TCP 1433
UDP 1434
Other static port
SQL database
Controllers vCenter TCP 443 vCenter
Controllers SCVMM TCP 8100 SCVMM
Controllers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
StoreFront servers Citrix Delivery Controllers TCP 80
TCP 443
XML
Secure Ticket Authority
StoreFront servers StoreFront servers TCP 808 Subscription Replication
StoreFront servers Trusted Domain Controllers TCP 135
TCP 49151-65535
RPC
Administrator machines StoreFront servers TCP 3389 RDP
Administrator machines Citrix Licensing TCP 8082-8083
TCP 80
TCP 3389
Web-based administration GUI
RDP
Controllers All VDAs TCP 80 Brokering
All VDAs Controllers TCP 80 Registration
All VDAs Global Catalogs
(Domain Controllers)
TCP 3268 Registration
All Receivers
(Internal)
StoreFront SSL Load Balancing VIP TCP 80
TCP 443
Internal access to StoreFront
All Receivers NetScaler Gateway VIP TCP 80
TCP 443
External (or internal) access to NetScaler Gateway
All Receivers
(Internal)
All VDAs TCP 1494
TCP 2598
UDP 16500-16509
UDP 3224-3324
ICA/HDX
Session Reliability
UDP Audio
Framehawk
Administrator machines Director TCP 3389 RDP
Administrator machines
Help Desk machines
Director TCP 80
TCP 443
Web-based GUI
Director Controllers TCP 80
TCP 443
Director
Administrator machines
Help Desk machines
All VDAs TCP 135
TCP 3389
Remote Assistance

Also see Microsoft Technet Which ports are used by a RDS 2012 deployment?

Provisioning Services Firewall Rules

From To Protocol / Port Purpose
Provisioning Servers SQL Server TCP 1433
UDP 1434
Other static port
SQL database for Provisioning Services
Provisioning Servers Provisioning Servers SMB File copy of vDisk files
Provisioning Servers Provisioning Servers UDP 6890-6909 Inter-server communication
Provisioning Servers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
Provisioning Servers Controllers TCP 80
TCP 443
Setup Wizards to create machines
Provisioning Servers vCenter TCP 443 Setup Wizards to create machines
Provisioning Servers Target Devices UDP 6901
UDP 6902
UDP 6905
Provisioning Services Console Target Device power actions (e.g. Restart)
Administrator machines Provisioning Servers TCP 3389
TCP 54321
TCP 54322
TCP 54323
RDP
SOAP
Controllers Provisioning Servers TCP 54321
TCP 54322
TCP 54323
Add machines to Catalog
Target Devices DHCP Servers UDP 67 DHCP
Target Devices KMS Server TCP 1688 KMS Licensing
Target Devices Provisioning Servers UDP 69
UDP 67/4011
UDP 6910-6969
TFTP
PXE
Streaming (expanded port range)
Target Devices Provisioning Servers UDP 6969
UDP 2071
Two-stage boot (BDM)
Target Devices Provisioning Servers TCP 54321
TCP 54322
TCP 54323
Imaging Wizard to SOAP Service

58 thoughts on “NetScaler Firewall Rules”

  1. Hi Carl, Thanks for your awesome blog for the community
    I need to use SNIP for all communications (including monitor) to back end environment. Is it possible to achieve?
    1. Understand that the Netscaler uses SNIP to communicate to back end DNS, LDAP, NTP etc (if configured as LB VIP) and uses NSIP IP as source for monitor probes. To force all traffic (including monitor traffic), Is it possible to configure Net profile? If we do that, will it force all traffic through SNIP?
    2. SNIP IP can be enabled for management which means NSIP is not required to log/manage NetScaler and Putty can be enabled only for SNIP?
    3. With regards to creating Local LB VIP for LDAP, DNS, RADIUS etc inside NetScaler, Is it possible to use non routable IP as LB VIPs like 1.1.1.1 or 1.2.3.4?. This is to avoid requesting more IPs from network team

      1. 3. With regards to creating Local LB VIP for LDAP, DNS, RADIUS etc inside NetScaler, Is it possible to use non routable IP as LB VIPs like 1.1.1.1 or 1.2.3.4?. This is to avoid requesting more IPs from network team?

        Can this be done Carl or do we need to use routable IPs for LB VIPs?

  2. Thank you very much Carl for your prompt reply. I have one more question
    In the environment I am working on, All servers are locked with individual Windows firewall rules applied through group policy. By default, all incoming and outgoing ports are blocked with only exceptions configured through GPO.
    I can get the incoming ports to be opened (for example 80;443 on controller, 27000 on license server etc) from the article but the security team are requiring Source Ports.
    In other words, the team also need outgoing ports on servers. For example, Licensing server
    Incoming Port –
    TCP 27000
    TCP 7279
    TCP 8082-8083
    TCP 80
    Outgoing Port— need clarification
    For Example, If Controller is connecting to license server,
    Source port – Dynamic (Any port between 1025-55555) – Is it possible to lock it down to range?
    Destination port- 27000.
    After license validation when the traffic returns from license server to VDA, Will the port be reversed?
    Source Port – 27000?
    Destination port – Dynamic port?

    1. That’s a very unusual request. There’s nothing Citrix-specific about that request. How do you do it for other firewall rules? When a browser connects to a web server on port 80, how do you limit the source ports used by the browser?

      1. This is what I thought. I am new to the environment.
        For my understanding, On the license server, If only the below incoming ports are opened
        Incoming Port –
        TCP 27000
        TCP 7279
        TCP 8082-8083
        TCP 80
        And all the outgoing ports are blocked, Will it have any impact on licensing? Similarly for other servers/services..

        Thanks again:)

        1. Outgoing packets from the destination machines are replies. Stateful firewalls should handle replies automatically. The destination machines do not initiate connections in the other direction, except for Controllers initiating connections to VDAs, and VDAs initiating connections to Controllers.

          1. It is clear now Carl. Thanks for clarifying this.
            You mentioned “The destination machines do not initiate connections in the other direction, except for Controllers initiating connections to VDAs, and VDAs initiating connections to Controllers.”
            Is this also true for connection between SF and controller as well? (XML query and XML response)

          2. I meant, the connection between SF and Director is also both way (XML query and response), correct?

  3. Hi Carl,
    Thanks for the article. Really useful. I am working on a setup where Citrix MGMT servers (controllers; SF; directors) and VDA are on separate subnets and I can’t use port 80 anywhere. Either I need to use 443 or a different port. I could see in 5 places port 80 is used by default which I need to change. I have mentioned that below. Please add if I miss any
    1. From Controller to All VDAs – TCP80 For registration; I read, it is encrypted by WCF); To configure port 8080, change VDA port (8080) from VDA agent and changing on controller by using brokerservice.exe command
    2. From SF to Controller (XML) – TCP 80 (Bi) For XML brokering – To configure 443, Apply Cert on controller, Run PS command to use only 443; On SF, configure Cert; modify store to add FQDN of controller and port 443
    3. From All VDAs to Controller – TCP 80 for brokering; do I need to configure this separately? Or will step 1 ensure that this traffic also flow on 8080?
    4. From AdminPC to Controller – TCP 80 for powershell; How to configure this? Since controller is configured with cert (step 2), will this communication also goes in 443?
    5. From NS-SNIP to Controller(STA) – TCP 80 for STA tickets; How to configure this? Since controller is configured with cert (step 2), will this communication also goes in 443?

    1. 1. That’s correct.
      2. That’s correct.
      3. Step 1 covers it
      4. BrokerService.exe /sdkport. Then I think you have to specify the port in the -AdminAddress parameter for every PowerShell command.
      5. Step 2 covers it.

      1. Thank you very much Carl for your prompt reply. I presume for point 4, after changing the SDK port, I need to provide the new port number when launching studio (it will ask to specify delivery controller address)
        I have also seen in this blog that I got to configure /sdkport change for all other controller services (Host.exe, Monitor.exe service etc) as indicated in this https://blog.citrix24.com/xendesktop-how-to-change-used-ports/
        I will give it a try.

  4. Hi Carl,

    with NetScaler SDX 11.1-54.14, I noticed there’s a Console Access Option shown with NetScaler > Instances. Do you know which port is used here? I kicked off a tcpdump while trying to Access those VPX Console Shows only https communication. As https is opened w/ our firewalls, I can’t access the VPX Consoles though.

    Cheers,
    Jochen

  5. Carl,

    When creating a rule for a firewall to allow netscaler traffic, what application is using the port 7105? We are getting a ica error when opening up a session. We followed the ports needed\listed but found out that for some reason this port was not listed in the requirements.

    1. UDP? Or TCP? If UDP, could be an Audio port.

      If you run “nstcpdump.sh port 7105” on the NetScaler, do you see it sending that port?

      1. Thank you for the response.

        We had our Boundary protection team watching the traffic and gathering the data. From what we have seen in the data, that port is allowed now. But we still receive the error.

        We have users from other locations that are able to use the Netscaler with no problems. What we are thinking is that at some point our Boundary team removed the rule allowing this site access due to lack of use. The site in question is our backup site. The rules were not supposed to be changed or removed.

        What I am going to ask our team to do is compare the FW rules between the sites and the proxy server as well to ensure that they are set the same.

  6. Hi Carl, please add 54321-54323 from target device to PVS Servers console ports, SOAP Service, used by Imaging Wizards.
    Thanks for all

  7. Hi All, I have setup netscaler 11.1 vpx on AWS and everything is fine but when launching applications it doesn happen. From directly storefront its working fine. I just came to know that 2598/1494 is getting reset itself by delivery controller. Every ports are allowed but still these two ports are getting reset itself. Please suggest if you have any solutions.

  8. Hi Carl,

    We are using Netscaler MPX5500 in our citrix environment. Our environment is secure through SSL VPN and WAF. Client . Client wants to present the StoreFront directly out to the internet and and therefore relieve ourselves of the dependency on the NetScalers.What would we gain and what would we lose? My concern here is how we secure our environment without netscaler ? How we do the encryption to secure https connections without netscaler.

  9. Hi Carl

    Thanks for all information.

    In our environment we are able to telnet( on 3009, 3010, 3011 and 22) from Site A to Site B but vice versa is not happening for GSLB setup. As per Network guy GSLB services are not running on Site A as they are unable to telnet from FW(in btw SiteA and SiteB) to SiteA. Whereas same is happening from FW to SiteB. However we have installed the GSLB service properly while configuring. I have also tested to telnet on self GSLB Site A IP via same GSLB ports and fails which indicates some issues in GSLB services in Site 1 but unable guess where it could be. Please can you help me with a hint or possible configuration to check?

    Thanks in advance.

  10. Hi carl, What is the difference between Local GSLB Site IP SNIP and SNIP? Firewall ports mentioned in this blog are for SNIP? I have a requirement to setup GSLB.

  11. Hey Carl,

    This was GREAT help for me.

    Quick question though, I have a LAB with a 3 legged scenario: 1 Subnet for Management (NSIPs), One subnet for DMZ, and another Subnet for backend services (LAN).

    In this case, since I am isolating management, I notice that the source for the perl scripts is the SNIP, not the NSIPs. Is this normal behavior?

  12. Hey Carl, thanks for the Information.

    I have one Questions for NetScaler VPN.

    Which Firewall Ports are needed for the VPN Setup? My NetScaler is in DMZ with a VPN vServer. Is only Port 443 to my StoreFront from my SNIP needed? Because I think “Any” from my SNIP to my LAN cannot be a Resolution…

    Thanks an best Regards
    Mark

    1. What traffic is going across the VPN tunnel?

      If you aren’t doing Intranet IPs, then everything comes from the SNIP and SNIP needs access to everything the users need to access.

      If you are doing Intranet IPs, then you open firewall from the Intrnaet IP to the whatever the users need to access.

    1. Are you asking for a firewall rule if you’re using a different TFTP server than the one installed on PvS?

  13. cannot rollback the fw rule now…customer has strict change mgmt for that..(read “the process to heavy so will leave it there for now) but this must be tested elsewhere

  14. Access from StoreFront nodes version 3.6 to NS LB VIP needs to be open on port 443 and https.
    Found out this the hard way…it seems the SF nodes need access to /discover url. I am not sure this has to do with the new 3.6 feature “no need for hostfile modification” stuff but worth mentioning maybe in the FW rules

  15. Hi Carl,
    great article! But I think there is something missing in the PVS section.

    You wrote:

    TargetDevices -> Provisioning Servers
    UDP 69 – TFTP
    UDP 4011 – PXE
    UDP 6890-6969 – Streaming

    But shouldn’t it be more like this:

    TargetDevices -> Provisioning Servers
    UDP 69 – TFTP
    UDP 4011/67 – PXE/Broadcast
    UDP 6910 – Target Device logon at PVS
    UDP 6910-6930 – streaming service (default with 8 threads per port)
    UDP 6969 – Two Stage Boot (If ISO or USB is used)

    And also I’m missing the PVS to PVS communication:

    UDP 6890-6909 – PVS Inter-Server communication

    Please correct me if I’m wrong

    Best Regards,
    Sebastian

    1. Isn’t 67 only needed for DHCP on PvS? If DHCP is separate from PvS, then isn’t it 4011?

      6890-6969 should encompass all of the ports. I always increase the default TD ports from 6910-6968. But if 6890-6909 is only used between servers then I could clarify that.

      1. Hi Carl,
        actually it’s the other way round.
        Port 4011 will be used if PXE is on the same machine as DHCP. And port 67 is used if it’s separated (PXE Broadcast). I just added port 67 explicit for the sake of completeness. 🙂

        And yes, 6890-6909 is only used for inter-pvs communication.
        Didn’t notice that you wanted to point out the reconfiguration for the streaming ports – sorry!.
        But you’re right – it’s a good thing to do! Maybe (to prevent misconfiguration) you should point that the range has to be manually extended and otherwise the configured ports won’t be used.

        Best Regards,
        Sebastian

  16. Hi Carl,

    Can we have LDAP and XML service servers in different subnet, from SNIP? I am able to ping the Domain Controller and CITRIX Controller Servers from the NetScaler, however I believe that goes through the NetScaler IP.

    If yes, how can we configure the communication between SNIP to LDAP, DNS & XML Service? Using Gateway Routes?

    Regards,
    Swapnil

    1. If the NetScaler is not connect to the same subnet as the back-end servers then NetScaler will send the packets through a router. If you only have one connected interface then it will go through the default gateway. If you have multiple subnets then you need to configure the routing table correctly.

  17. Hi Carl, thanks for the article.
    What would be the required ports to acces the SVM GUI from and the administrator´s machine?, and the same to the Xenserver IP?
    And also, does the Netscaler GUI versión 11 still requieres the java ports?

    1. You would want 22, 80, and 443 to access SVM and XenServer.

      In 11 and newer, Java is not needed from the administrator machine. But still needed in 10.5 build 56 and older.

  18. Hello CArl.

    Thanks for article. I need a help for NS. Netscaler MPX appliiance version 11 or version 10.5.6 can configure as a layer 4 firewall. So i need a link or document from citrix website that Netscaler ‘s certfification approved by global authorities? Thanks for help.

    1. I don’t think NetScaler is intended as a L4 firewall. It has ACLS and other security features but that’s not the purpose of the appliance. I always put firewalls in front my NetScalers.

  19. hi,
    which source IP (on the netscaler) and target port are used for a CERT (smartcard) authentication server policy ?

    thanks

    1. A CERT policy should be looking at the contents of the smart care certificate to retrieve the username. I don’t think it communicates with anything.

      The SSL vServer would have Client Certificates enabled. This compares the client certificate signature with a CA certificate that is bound to the SSL vServer. Optionally, you can configure CRL checking (direct or through OCSP) that would require communication with external servers. I’m guessing it uses the SNIP but I’m not sure. If you are able to set this up in a lab, run nstcpdump.sh on the NetScaler to see which IP it is using for CRL checking.

  20. Hi,
    very good article, I think that DNS by default use NSIP (it’s like the authentication flow). Netscaler uses SNIP only in case of LB internal rules….

    1. To verify the source IP, SSH to NetScaler, run shell, run nstcpdump.sh port 53. Do something on NetScaler to cause a DNS query and you’ll see the Source IP.

Leave a Reply