Navigation
- Change Log
- Citrix ADC Firewall Rules
- Citrix ADM Firewall Rules
- Citrix Virtual Apps and Desktops Firewall Rules
- Citrix Provisioning Firewall Rules
See CTX101810 Communication Ports Used by Citrix Technologies
💡 = Recently Updated
Change Log
- 2020 Nov 13 – CTX286215 How to change Logstream source IP to NSIP on ADC.
- 2020 Oct 17 – ADM – added 443/8443 from ADM Agents to ADM
- 2018 June 11 – MAS Firewall – added MAS Floating IP and MAS Agents
- 2018 June 9 – StoreFront to Domain Controllers in Trusted Domains – added rules from Citrix Discussions
- 2018 June 6 – added NSIP firewall rules for NetScaler MAS Pooled Licensing
- 2018 May 24 – updated Director->HDX Insight firewall rules to indicate Director as the source (Source = Luke in the comments)
Citrix ADC Firewall Rules
| From | To | Protocol / Port | Purpose |
|---|---|---|---|
| Administrator machines | NSIPs (and/or SNIPs) | TCP 22 TCP 80 TCP 443 TCP 3010 TCP 3008 |
SSH and HTTP/SSL access to NetScaler configuration GUI. TCP 3008/3010 is Java and 3008 is used if traffic is encrypted. Java not needed in 10.5 build 57 and newer. |
| Administrator machines | NetScaler SDX SVM, XenServer | TCP 22 TCP 80 TCP 443 |
To administer NetScaler SDX |
| Administrator machines | NetScaler Lights Out Module | TCP 443 TCP 623 TCP 5900 |
CTX200367 |
| NSIP SNIP |
DNS servers | Ping UDP 53 TCP 53 |
Ping is used for monitoring. Can be turned off by load balancing on the same appliance. |
| NSIPs SNIP |
NetScaler MAS | TCP 27000 TCP 7279 |
Pooled Licensing |
| NSIPs SNIP |
NTP servers | UDP 123 | NTP |
| NSIPs SNIP |
Syslog server | UDP 514 | Syslog |
| NSIPs | callhome.citrix.com cis.citrix.com taas.citrix.com |
TCP 443 | Call Home |
| NSIPs (default) SNIP |
LDAP Servers(Domain Controllers) | TCP 389 (Start TLS) TCP 636 (Secure LDAP) |
Secure LDAP requires certificates on the Domain Controllers. Secure LDAP enables password changes when they expire.SNIP if Load Balanced on same appliance |
| NSIPs | LDAP Servers | TCP 389 TCP 636 |
Monitor Domain Controllers |
| NSIPs (default) SNIP |
RADIUS servers | UDP 1812 | RADIUS is used for two-factor authentication. SNIP if Load Balanced on same appliance |
| SNIP | RADIUS servers | UDP 1812 Ping |
Monitor RADIUS servers |
| NetScaler SDX Service virtual machine | NSIPs | Ping TCP 22 TCP 80 TCP 443 |
Only if NetScaler VPX runs as a virtual machine on top of NetScaler SDX |
| Local GSLB Site IP SNIP |
GSLB Site IP (public IP) in other datacenter | TCP 3009 TCP 3011 |
GSLB Metric Exchange Protocol between appliance pairs |
| NSIPs | GSLB Site IP (public IP) in other datacenter | TCP 22 TCP 3008 TCP 3010 |
GSLB Configuration Sync |
| Local GSLB Site IP SNIP |
All Internet | Ping UDP 53 TCP (high ports) |
RTT to DNS Servers for Dynamic Proximity determination |
| SNIP | StoreFront Load Balancing VIP | TCP 443 | NetScaler Gateway communicates with StoreFront |
| SNIP | StoreFront servers | TCP 80 TCP 443 TCP 808 |
StoreFront Load Balancing |
| NSIPs | StoreFront servers | TCP 80 TCP 443 |
Monitor StoreFront servers |
| StoreFront servers | NetScaler Gateway VIP (DMZ IP) | TCP 443 | Authentication callback from StoreFront server to NetScaler Gateway. |
| SNIP | Each individual Delivery Controller in every datacenter | TCP 80 TCP 443 |
Secure Ticket Authorities. This cannot be load balanced. TCP 443 only if certificates are installed on the Delivery Controllers. |
| SNIP | All internal virtual desktops and session hosts (subnet rule?) | TCP 1494 TCP 2598 UDP 1494 UDP 2598 UDP 16500-16509 |
HDX ICA Enlightened Data Transport Session Reliability UDP Audio |
| All Internet All internal users |
NetScaler Gateway VIP (public IP) | TCP 80 TCP 443 UDP 443 |
Connections from browsers and native Receivers DTLS for UDP Audio |
| All Internet All internal DNS servers |
SNIP ADNS Listener (Public IP) | UDP 53 TCP 53 |
ADNS (for GSLB) |
| Web logging server | NSIPs | TCP 3010 | Web logging polls the NetScalers. |
| NSIPs | NetScaler MAS or other SNMP Trap Destination | UDP 161 UDP 162 |
SNMP Traps |
| NSIPs SNIP |
NetScaler MAS or other AppFlow Collector | UDP 4739 TCP 5557, 5558 TCP 5563 |
AppFlow (IPFIX, Logstream, and Metrics) |
| NSIP | mfa.cloud.com trust.citrixworkspacesapi.net |
TCP 443 | Native OTP Push (DNS required) |
- Authentication traffic uses NSIPs by default. This can be changed by creating a local Load Balancing Virtual Server on the same appliance and sending authentication traffic through the Load Balancing VIP.
- Several of the Load Balancing monitors run as Perl scripts, which are sourced from the NSIPs, not SNIP. But actual load balancing traffic uses SNIP as the source IP.
- DNS Name Servers use ping for monitoring. This can be disabled by creating a local Load Balancing Virtual Server on the same appliance and sending DNS traffic through the load balancer.
- In a ADC with a dedicated management network and default route on a different data network, configure Policy Based Routes (PBRs) to send NSIP-sourced traffic through a router on the NSIP subnet.
- Logstream defaults to SNIP as source but can be changed to NSIP. See CTX286215.
Citrix ADM Firewall Rules
Citrix Application Delivery Management (ADM) monitors and manages the ADC appliances.
| From | To | Protocol / Port | Purpose |
|---|---|---|---|
| ADM Floating IP ADM Agent |
NSIPs | Ping TCP 22 TCP 80 TCP 443 |
Discovery and configuration of ADC devices |
| NSIPs | ADM Floating IP ADM Agent |
TCP 80 TCP 443 |
Nitro |
| ADM (Primary, Secondary) | NSIPs | UDP 161 | SNMP |
| ADM Agents | ADM Floating IP | TCP 443 TCP 7443 TCP 8443 |
Agent Communication |
| NSIPs | ADM Floating IP ADM Agent |
UDP 4739 | AppFlow |
| SNIP | ADM Floating IP ADM Agent |
TCP 5563 | Metrics Collector |
| NSIPs SNIP |
ADM Floating IP ADM Agent |
TCP 5557, 5558 | Logstream (ULFD) |
| NSIPs | ADM Floating IP ADM Agent |
UDP 161 UDP 162 |
SNMP Traps |
| NSIPs | ADM Floating IP ADM Agent |
UDP 514 | Syslog |
| CPX NSIPs VPX NSIPs |
ADM Floating IP ADM Agent |
TCP 27000 TCP 7279 |
Pooled Licensing |
| Administrator Machines | ADM Floating IP ADM Agent |
TCP 22 TCP 80 TCP 443 |
Web-based GUI |
| Director Servers | ADM Floating IP | TCP 80 TCP 443 |
Insight Integration with Director |
| ADM | LDAP(S) LDAP(S) VIP |
TCP 389 TCP 636 |
LDAP authentication |
| ADM | Mail Server | TCP 25 | Email alerts |
| ADM | NTP Server | UDP 123 | NTP |
| ADM | Syslog Server | UDP 514 | Syslog |
Citrix Virtual Apps and Desktops Firewall Rules
| From | To | Protocol / Port | Purpose |
| Administrator machines | Delivery Controllers | TCP 80/443 TCP 3389 |
PowerShell RDP |
| Delivery Controllers | SQL Server | TCP 1433 UDP 1434 Other static port |
SQL database |
| Delivery Controllers | vCenter | TCP 443 | vCenter |
| Delivery Controllers | SCVMM (Hyper-V) | TCP 8100 | SCVMM |
| Delivery Controllers | Citrix Licensing | TCP 27000 TCP 7279 TCP 8082-8083 |
Citrix Licensing |
| StoreFront servers | Delivery Controllers | TCP 80 TCP 443 |
XML Secure Ticket Authority |
| StoreFront servers | StoreFront servers | TCP 808 | Subscription Replication |
| StoreFront servers | Domain Controllers in Trusted Domains | TCP 88 TCP 135 TCP 445 TCP 389/636 TCP 49151-65535 |
RPC Discussions |
| Administrator machines | StoreFront servers | TCP 3389 | RDP |
| Administrator machines | Citrix Licensing | TCP 8082-8083 TCP 3389 |
Web-based administration GUI RDP |
| Delivery Controllers | All VDAs | TCP 80 | Brokering |
| All VDAs | Delivery Controllers | TCP 80 | Registration |
| All VDAs | Global Catalogs (Domain Controllers) |
TCP 3268 | Registration |
| All Server OS VDAs | Remote Desktop Licensing Server | RPC and SMB | Remote Desktop Licensing |
| All Workspace apps (Internal) |
StoreFront SSL Load Balancing VIP | TCP 80 TCP 443 |
Internal access to StoreFront |
| All Workspace apps | Citrix Gateway VIP | TCP 80 TCP 443 |
External (or internal) access to Citrix Gateway |
| All Workspace apps (Internal) |
All VDAs | TCP 1494 UDP 1494 TCP 2598 UDP 2598 UDP 16500-16509 |
ICA/HDX EDT Session Reliability UDP Audio |
| Administrator machines | Director | TCP 3389 | RDP |
| Administrator machines Help Desk machines |
Director | TCP 80 TCP 443 |
Web-based GUI |
| Director | Delivery Controllers | TCP 80 TCP 443 |
|
| Director Administrator machines Help Desk machines |
All VDAs | TCP 135 TCP 3389 |
Remote Assistance |
Also see Microsoft Technet Which ports are used by a RDS 2012 deployment?
Citrix Provisioning Firewall Rules
| From | To | Protocol / Port | Purpose |
| Provisioning Servers | SQL Server | TCP 1433 UDP 1434 Other static port |
SQL database for Provisioning Services |
| Provisioning Servers | Provisioning Servers | SMB | File copy of vDisk files |
| Provisioning Servers | Provisioning Servers | UDP 6890-6909 | Inter-server communication |
| Provisioning Servers | Citrix Licensing | TCP 27000 TCP 7279 TCP 8082-8083 TCP 80 |
Citrix Licensing |
| Provisioning Servers | Controllers | TCP 80 TCP 443 |
Setup Wizards to create machines |
| Provisioning Servers | vCenter | TCP 443 | Setup Wizards to create machines |
| Provisioning Servers | Target Devices | UDP 6901 UDP 6902 UDP 6905 |
Provisioning Services Console Target Device power actions (e.g. Restart) |
| Administrator machines | Provisioning Servers | TCP 3389 TCP 54321 TCP 54322 TCP 54323 |
RDP SOAP |
| Controllers | Provisioning Servers | TCP 54321 TCP 54322 TCP 54323 |
Add machines to Catalog |
| Target Devices | DHCP Servers | UDP 67 | DHCP |
| Target Devices | KMS Server | TCP 1688 | KMS Licensing |
| Target Devices | Provisioning Servers | UDP 69 UDP 67/4011 UDP 6910-6969 |
TFTP PXE Streaming (expanded port range) |
| Target Devices | Provisioning Servers | UDP 6969 UDP 2071 |
Two-stage boot (BDM) |
| Target Devices | Provisioning Servers | TCP 54321 TCP 54322 TCP 54323 |
Imaging Wizard to SOAP Service |
Hi Carl, and 8008 port for html5?
Hi Carl.
Perhaps worth adding the RDS LIcensing ports for the VDA?
Thanks for the suggestion. I added a link to the list of ports for RD Licensing.
Hi Carl,
For the ADCs I think you forgot UDP 7000 for Cluster Heart Beat Exchange, am I right?
Regards,
Hong
Hi Carl,
do you want to extend your list with infos regarding push-otp? Are you able to check with citrix if it’s adc’s NSIP or SNIP which should be able to communicate to mfa.cloud.com and trust.citrixworkspaceapi.net?
“On premises Citrix ADC appliances must be able to resolve server addresses mfa.cloud.com and trust.citrixworkspacesapi.net and are accessible from the appliance. This is to ensure that there are no firewalls or IP address blocks for these servers over port 443” from https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/push-notification-otp.html
Thanks in advance
Regards
Julian
Thanks for the suggestion. I just added it.
You can run nstcpdump.sh to confirm the source IP. I suspect it is NSIP.
Hi Carl, thanks for the article.
Regarding Citrix ADM firewall openings: based on Citrix documentation ADM seems to require also inbound firewall opening to ports 80 and 443 for Nitro communication (“Citrix ADM to Citrix ADC and Citrix ADC to Citrix ADM”).
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/current-release/system-requirements.html
NSIP is in the same subnet as the DNS server so directly connected, no SNIP in this subnet. I can ping the nameserver from a SSH session however the ADC marks it in the GUI as down. Nameserver itself is working fine.
Worth mentioning that if you use multi-stream ICA, you will need to ensure the additional ports are open on the FW between ADC and VDAs. This applies to both TCP and, if using EDT via ADC, UDP traffic. eg. 2598-2601 TCP and UDP.
Hi Carl, would appreciate you looking at the following article I wrote. https://veffort.wordpress.com/2020/02/18/netscaler-vpn-smb-share-access/
I think that the Kerberos port should be included in the firewall rule set for VPN scenarios. It was a major headache for us.
Hello Carl,
We have netscaler in cloud environment behind public loadbalancer. Recently ee also taken WAF as 3rd party SaaS in front of load balancer. Now every traffic should firstly go to WAF and then LB and the. Netscaler.. question is can we allow only WAF ips as source in netscaler and deny all other traffic which might come throw public LB directly ?
Hi, Did you get this to work? Im having the same problem when I move the WAF in front of the Netscaler Gateway. I doubt that the Netscaler supports a reverse proxy architecture. Highly appreciate if you can share your experience/workarounds found in your case.
Hi,try this to block, whitelist ips of WAF
https://support.citrix.com/article/CTX222249
Hi, thanks for replying. Did you get it to work in reverse proxy architecture? I assume that the WAF is acting as a reverse proxy and offloading SSL. And the citrix sees all requests as if they were originated by WAF’s IP?
Thanks
Hi, how about SNMP Pooling? Is it possible for port 161 and 162 on ADC 13.0? Can it be used for SCOM 2012 to discover as well?
Hi Carl, how about SNMP Polling? Is it possible for port 161 and 162 on ADC 13.0? Can it be used for SCOM 2012 to discover as well?
Hi Carl, can we change netscaler’s SSH port number from22 to 2200
Hi Carl,
A million thanks for filling in the gaps on Citrix documentation.
I wanted to share a bizarre experience related to your comment about the NSIP being in a dedicated management network.
We configured a pair of Netscaler Gateways with NSIPs on interface 0/1 in a dedicated management network. We configured these Netscalers to send syslog traffic to a server in a different network, which the NSIP couldn’t route to. (The NSIP doesn’t have a default gateway configured. Nor does it have a static route configured to the syslog server.) We weren’t seeing the syslog traffic getting to the syslog server, so I took a packet trace.
The trace showed the syslog traffic coming from the NSIP and going to the appropriate syslog server IP. On closer inspection, I realized it was actually spoofing the NSIP onto the 1/1 interface, which is associated with the SNIP. This works, of course, because syslog is UDP and doesn’t do any session handling. Unfortunately, the SNIP interface sits behind a firewall, which saw the IP spoofing and dropped the packets. As soon as we allowed the NSIP on that SNIP VLAN in the firewall, the syslog traffic started flowing. As you pointed out, we could force that syslog traffic over the NSIP by adding a static route to the syslog server via the default gateway in the NSIP dedicated management VLAN. In reading elsewhere (https://support.citrix.com/article/CTX227648), it sounds like we could also use a NetProfile to force the traffic to come from the SNIP.
I hope this information will help support your comment about NSIP being in a dedicated management network with a default gateway in a different network.
-Mike
I prefer PBRs – https://www.carlstalhood.com/system-configuration-citrix-adc-13/#dedicatedmgmt. I should probably update this article to link to the PBR instructions.
Hello Carl,
I just have a small query which i want to clarify and hope you can help me here.
I am currently setting up Netscaler gateway for external access and want to check if i can use port 4444 instead of standard port 443 for external access?
The reason I’m asking is because i have only one public IP which i have used up for exchange and cannot afford another one.
Please advise.
Thanks,
Pavan
Most features should work fine on a custom port, but I found that OTP Push registration does not work correctly on a custom port. That means you should test it. Also, be aware that some client networks block non-standard ports.
Any guidance in adding appfw xml sql injection relaxation rules for the following
APPFW_XML_SQL – appfw_basic_webtestuatprofile https:///ws/Userxxx SQL SQL check failed for field value=”..and Joint Centre [WDFAGBOY](;)”
hi carl, i always appreciate your effort.
i have a question.
is it possible to change port number of SSH?
port number 22 –> another? is it possible..?
Thank you
The file /etc/sshd_config has a port number configuration. Not sure if changing this works on NetScaler. Not sure if changing it is supported since there are tools like NetScaler MAS that use SSH to connect to NetScaler.
Hello Carl,
As always thanks for your massive insight (no pun intended…ok I’m lying). I have a point of confusion about http redirect. I have setup http redirect on NetScaler VPX 12.x.x using the loadbalancer down method. It doesn’t work . These are some newbie questions:
1. For external connections what does my firewall have to allow? I assume TCP 80 on the IP address of the external URL?
2. Presumably this is sent to the downed LB on the NS? That is gateway_IP:Port 80?
If I telnet once this is done is this a legitimate way of testing and do you know what I should expect to see?
Again I apologize for the novice questions.
Sidebar and off topic: Do you have any posts on configuring interfaces for MPX out of the box – trunking etc, I haven’t been able to find any of yours. I need to connect a new MPX out of the box to a switch and Citrix docs arent very helpful.
1. Port 80 to the port 80 vServer that is performing the redirect.
See https://www.carlstalhood.com/netscaler-12-system-configuration/#portchannel
There’s a special place in virtual heaven for you. Thank you Carl for this quick response.
Hi Carl,
Im hoping you can help with this question I have. I’m looking to setup SNIP for a subnet that is behind a firewall. If I were top add a SNIP address from that subnet, do firewall ports need to be opened for the NetScaler to be able to use the SNIP address that is behind the firewall?
Apologies, my networking experience is limited.
Many thanks
Adding a SNIP allows you to bypass the firewall, assuming the NetScaler is connected to the subnet behind the firewall. But is this what your security team really wants? Usually bypassing firewalls is a bad security practice.
Sorry Carl – let me explain a little better – the NetScaler and it’s NSIP is infront of the firewall and the subnet would be behind it. If I assign a SNIP from that subnet, would I need certain ports open on the firewall to allow the NetScaler to use the SNIP?
Again apologies and many thanks
Is the NetScaler connected to the SNIP subnet? What subnet is the VIP on? If VIP is on one side of the firewall, and if SNIP is on the other side of the firewall, then traffic through the VIP going out the SNIP will bypass the firewall.
Thanks for the prompt reply Carl. It is not directly connected to the SNIP subnet, but it could route to it via the firewall – I’m not sure if certain ports need to be open on the firewall for it to be able to do use the SNIP? It’s like you said – the VIP is on a different Subnet infront of the firewall and SNIP subnet is behind the firewall.
VIP->NetScaler->Firewall->SNIP->Backend servers.
Many Thanks
You create a SNIP on a directly connected subnet. You configure a route using a router/firewall on the directly connected subnet. The SNIP communicates to the server through the router/firewall. As for firewall rules, that depends on the app and the port numbers you are load balancing.
You can only add SNIPs on subnets that the NetScaler is actually connected to. But you can easily add routes for any non-connected subnet.
Hi Carl,
Do you know the communications port between the MA Agent (azure) and the NetScaler MAS OnPrem?
Hey Carl, to implement remote pc access through the netscaler, do i need to open up port 80 to each client pc from the netscaler ?
Thanks
Gary
Port 80 is needed from the Delivery Controllers, but not from the NetScaler. Only the ICA ports are needed from NetScaler.
Cool, thanks for the prompt reply Carl, do i need to open up the ica ports between the client pc and the netscaler also ?
Yes.
Hi Carl,
I’m looking for some guidance on configuring a netscaler VPX 1000 for external access.
Currently I have this running in a VM with 3 NICs:
1st NIC 192.168.76.0/24
2nd NIC 192.168.75.0/24
3rd NIC 192.168.1.0/24
NetScaler IP: 192.168.76.252/24 VLAN bound to 1nd NIC (0/1)
Subnet IP: 192.168.75.251/24 VLAN bound to 2nd NIC (1/1)
Subnet IP: 192.168.1.251/24 VLAN bound to 3rd NIC (1/2)
NetScaler Gateway Virtual Server: 192.168.1.60/24
From the netscaler, I can ping IP addresses on all 3 networks above as well as the router/firewall on 192.168.1.1.
When setting up the NetScaler gateway for XenApp and XenDesktop, everything is working fine internally to 192.168.1.60/24. I’m able to telnet and open https://192.168.1.60, login to the netscaler my credentials and see/access the published apps.
When I try to add port forwarding in my router/firewall [192.168.1.1] to 192.168.1.60/24 on port 80/443, I’m unable to access the netscaler externally on the public IP on port 80/443. Telnet to either port 80/443 isn’t working.
If I port forward directly to my storefront server [192.168.1.25] on port 80/443, I can connect fine so I know the port forwarding rules are fine.
Looking through various articles, I can’t see much wrong with the config. Hope you can help.
Kind regards,
Mark.
What is the default route (0.0.0.0)? It should be pointing to the router that can access the Internet.
Or, you can enable Mac Based Forwarding to override the routing table for replies.
Hi Carl,
This is exactly what the issue was. It is now resolved by creating a new default route for 0.0.0.0 to 192.168.1.1 and removing the default route for 0.0.0.0 to 192.168.75.1.
192.168.75.1 being the IP of my Hyper-V vEthernet adapter
What was misleading me, was the fact I could ping, connect, and resolve out to the internet. This is most likely because of the nat I setup on the 192.168.75.0/24 network.
Many thanks for your prompt response, and thank for you all the effort you put into this site.
Kind regards,
Mark.
what is port use for Telemetry service , After migrate from 7.8 to 7.15 PVS found console hung , restarted the SOAP service,restarted server no luck
Hi Carl,
I’d like to point out one thing in regards the firewall rule definitions for the “Insight Integration with Director” for the NetScaler MAS Firewall Rules as well as Insight Center Firewall Rules sections.
Generally speaking, the connectivity is required from server on which Director is installed, which would commonly be separate from DDC in any mid-size to large deployments.
As far as I know, connectivity between DDC and MAS / Insight Center is required only if Director is installed on the same machine as DDC.
Also, it is possible to run the connectivity over HTTP, although HTTPS is recommended.
Regards
Hi Carl,
Basic question about DNS / name resolution on Netscaler.
I have a netscaler with two interface (Internal vs External) / Two arm mode?.
Is it possible to send name resolution query to respective DNS server. Example InternalDomain.local should go to Internal DNS (192.168.1.1) and Externaldomain.com should go to External dns (171.168.123.122) . How?
Regards,
Kamal
Maybe this? https://support.citrix.com/article/CTX205898
Hi Carl, Thanks for your awesome blog for the community
I need to use SNIP for all communications (including monitor) to back end environment. Is it possible to achieve?
1. Understand that the Netscaler uses SNIP to communicate to back end DNS, LDAP, NTP etc (if configured as LB VIP) and uses NSIP IP as source for monitor probes. To force all traffic (including monitor traffic), Is it possible to configure Net profile? If we do that, will it force all traffic through SNIP?
2. SNIP IP can be enabled for management which means NSIP is not required to log/manage NetScaler and Putty can be enabled only for SNIP?
3. With regards to creating Local LB VIP for LDAP, DNS, RADIUS etc inside NetScaler, Is it possible to use non routable IP as LB VIPs like 1.1.1.1 or 1.2.3.4?. This is to avoid requesting more IPs from network team
See https://support.citrix.com/article/CTX217712
3. With regards to creating Local LB VIP for LDAP, DNS, RADIUS etc inside NetScaler, Is it possible to use non routable IP as LB VIPs like 1.1.1.1 or 1.2.3.4?. This is to avoid requesting more IPs from network team?
Can this be done Carl or do we need to use routable IPs for LB VIPs?
Since they are essentially a loopback connection, non-routable is fine.
Hi Carl, We are experiencing issues in accessing XD VDI using IGEL thin clients. I can luanch the same VDI using our laptop. Both the laptop and IGELs are in same VLAN. IGELs are pointed to internal storefront LB. If I point the iGEL to netscaler gateway URL, it is working fine. Any thoughts
Has it ever worked?
Are you able to get Receiver logs from the Igel?
Yes it was working earlier and stopped working since April and user was living with Laptop access. All our VDIs are TLS 1.2 encrypted so we are getting the generic error message as “You have chosen not to trust “QuoVadis Global SSL ICA G3”, the issuer of the server’s security certificate (SSL error 61).”. However, when I turn off SSL and it is throwing different error as “Unable to reach the xenapp server in the specified address”.
Thanks
Thank you very much Carl for your prompt reply. I have one more question
In the environment I am working on, All servers are locked with individual Windows firewall rules applied through group policy. By default, all incoming and outgoing ports are blocked with only exceptions configured through GPO.
I can get the incoming ports to be opened (for example 80;443 on controller, 27000 on license server etc) from the article but the security team are requiring Source Ports.
In other words, the team also need outgoing ports on servers. For example, Licensing server
Incoming Port –
TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Outgoing Port— need clarification
For Example, If Controller is connecting to license server,
Source port – Dynamic (Any port between 1025-55555) – Is it possible to lock it down to range?
Destination port- 27000.
After license validation when the traffic returns from license server to VDA, Will the port be reversed?
Source Port – 27000?
Destination port – Dynamic port?
That’s a very unusual request. There’s nothing Citrix-specific about that request. How do you do it for other firewall rules? When a browser connects to a web server on port 80, how do you limit the source ports used by the browser?
This is what I thought. I am new to the environment.
For my understanding, On the license server, If only the below incoming ports are opened
Incoming Port –
TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
And all the outgoing ports are blocked, Will it have any impact on licensing? Similarly for other servers/services..
Thanks again:)
Outgoing packets from the destination machines are replies. Stateful firewalls should handle replies automatically. The destination machines do not initiate connections in the other direction, except for Controllers initiating connections to VDAs, and VDAs initiating connections to Controllers.
It is clear now Carl. Thanks for clarifying this.
You mentioned “The destination machines do not initiate connections in the other direction, except for Controllers initiating connections to VDAs, and VDAs initiating connections to Controllers.”
Is this also true for connection between SF and controller as well? (XML query and XML response)
Correct. StoreFront sends request to Controller. Controller sends back a reply.
I meant, the connection between SF and Director is also both way (XML query and response), correct?
SF and Director don’t communicate with each other. But both talk to a Controller.
I realised, I typed Director instead of Controller. Thanks for your answers.
Hi Carl,
Thanks for the article. Really useful. I am working on a setup where Citrix MGMT servers (controllers; SF; directors) and VDA are on separate subnets and I can’t use port 80 anywhere. Either I need to use 443 or a different port. I could see in 5 places port 80 is used by default which I need to change. I have mentioned that below. Please add if I miss any
1. From Controller to All VDAs – TCP80 For registration; I read, it is encrypted by WCF); To configure port 8080, change VDA port (8080) from VDA agent and changing on controller by using brokerservice.exe command
2. From SF to Controller (XML) – TCP 80 (Bi) For XML brokering – To configure 443, Apply Cert on controller, Run PS command to use only 443; On SF, configure Cert; modify store to add FQDN of controller and port 443
3. From All VDAs to Controller – TCP 80 for brokering; do I need to configure this separately? Or will step 1 ensure that this traffic also flow on 8080?
4. From AdminPC to Controller – TCP 80 for powershell; How to configure this? Since controller is configured with cert (step 2), will this communication also goes in 443?
5. From NS-SNIP to Controller(STA) – TCP 80 for STA tickets; How to configure this? Since controller is configured with cert (step 2), will this communication also goes in 443?
1. That’s correct.
2. That’s correct.
3. Step 1 covers it
4. BrokerService.exe /sdkport. Then I think you have to specify the port in the -AdminAddress parameter for every PowerShell command.
5. Step 2 covers it.
Thank you very much Carl for your prompt reply. I presume for point 4, after changing the SDK port, I need to provide the new port number when launching studio (it will ask to specify delivery controller address)
I have also seen in this blog that I got to configure /sdkport change for all other controller services (Host.exe, Monitor.exe service etc) as indicated in this https://blog.citrix24.com/xendesktop-how-to-change-used-ports/
I will give it a try.
Hi Carl,
with NetScaler SDX 11.1-54.14, I noticed there’s a Console Access Option shown with NetScaler > Instances. Do you know which port is used here? I kicked off a tcpdump while trying to Access those VPX Console Shows only https communication. As https is opened w/ our firewalls, I can’t access the VPX Consoles though.
Cheers,
Jochen
It’s using WebSockets. Make sure the SVM certificate is valid.
Carl,
When creating a rule for a firewall to allow netscaler traffic, what application is using the port 7105? We are getting a ica error when opening up a session. We followed the ports needed\listed but found out that for some reason this port was not listed in the requirements.
UDP? Or TCP? If UDP, could be an Audio port.
If you run “nstcpdump.sh port 7105” on the NetScaler, do you see it sending that port?
Thank you for the response.
We had our Boundary protection team watching the traffic and gathering the data. From what we have seen in the data, that port is allowed now. But we still receive the error.
We have users from other locations that are able to use the Netscaler with no problems. What we are thinking is that at some point our Boundary team removed the rule allowing this site access due to lack of use. The site in question is our backup site. The rules were not supposed to be changed or removed.
What I am going to ask our team to do is compare the FW rules between the sites and the proxy server as well to ensure that they are set the same.
Hi Carl, please add 54321-54323 from target device to PVS Servers console ports, SOAP Service, used by Imaging Wizards.
Thanks for all
Thanks for notifying me.
Hi All, I have setup netscaler 11.1 vpx on AWS and everything is fine but when launching applications it doesn happen. From directly storefront its working fine. I just came to know that 2598/1494 is getting reset itself by delivery controller. Every ports are allowed but still these two ports are getting reset itself. Please suggest if you have any solutions.
Hi Carl,
We are using Netscaler MPX5500 in our citrix environment. Our environment is secure through SSL VPN and WAF. Client . Client wants to present the StoreFront directly out to the internet and and therefore relieve ourselves of the dependency on the NetScalers.What would we gain and what would we lose? My concern here is how we secure our environment without netscaler ? How we do the encryption to secure https connections without netscaler.
Hi Carl
Thanks for all information.
In our environment we are able to telnet( on 3009, 3010, 3011 and 22) from Site A to Site B but vice versa is not happening for GSLB setup. As per Network guy GSLB services are not running on Site A as they are unable to telnet from FW(in btw SiteA and SiteB) to SiteA. Whereas same is happening from FW to SiteB. However we have installed the GSLB service properly while configuring. I have also tested to telnet on self GSLB Site A IP via same GSLB ports and fails which indicates some issues in GSLB services in Site 1 but unable guess where it could be. Please can you help me with a hint or possible configuration to check?
Thanks in advance.
Hi carl, What is the difference between Local GSLB Site IP SNIP and SNIP? Firewall ports mentioned in this blog are for SNIP? I have a requirement to setup GSLB.
Have you seen this yet? https://www.carlstalhood.com/global-server-load-balancing-gslb-netscaler-11-1/#planning
Hey Carl,
This was GREAT help for me.
Quick question though, I have a LAB with a 3 legged scenario: 1 Subnet for Management (NSIPs), One subnet for DMZ, and another Subnet for backend services (LAN).
In this case, since I am isolating management, I notice that the source for the perl scripts is the SNIP, not the NSIPs. Is this normal behavior?
If there is no direct route, it will use the SNIP. But I’m not sure if it changes the source IP.
Hi Carls,
is there any ports to be opened between NSIP and SNIP.
If the two ips are in different subnets.
No. The NetScaler can communicate between those IPs from inside the appliance.
Hey Carl, thanks for the Information.
I have one Questions for NetScaler VPN.
Which Firewall Ports are needed for the VPN Setup? My NetScaler is in DMZ with a VPN vServer. Is only Port 443 to my StoreFront from my SNIP needed? Because I think “Any” from my SNIP to my LAN cannot be a Resolution…
Thanks an best Regards
Mark
What traffic is going across the VPN tunnel?
If you aren’t doing Intranet IPs, then everything comes from the SNIP and SNIP needs access to everything the users need to access.
If you are doing Intranet IPs, then you open firewall from the Intrnaet IP to the whatever the users need to access.
what about option 66 on the DHCP server? shouldn’t that be on this list?
Are you asking for a firewall rule if you’re using a different TFTP server than the one installed on PvS?
cannot rollback the fw rule now…customer has strict change mgmt for that..(read “the process to heavy so will leave it there for now) but this must be tested elsewhere
No it was actually OFF for some reason….my bad
Enabling it removed the firewall requirement?
Access from StoreFront nodes version 3.6 to NS LB VIP needs to be open on port 443 and https.
Found out this the hard way…it seems the SF nodes need access to /discover url. I am not sure this has to do with the new 3.6 feature “no need for hostfile modification” stuff but worth mentioning maybe in the FW rules
Is StoreFront configured with Loopback set to OnUsingHttp?
Hi Carl,
great article! But I think there is something missing in the PVS section.
You wrote:
TargetDevices -> Provisioning Servers
UDP 69 – TFTP
UDP 4011 – PXE
UDP 6890-6969 – Streaming
But shouldn’t it be more like this:
TargetDevices -> Provisioning Servers
UDP 69 – TFTP
UDP 4011/67 – PXE/Broadcast
UDP 6910 – Target Device logon at PVS
UDP 6910-6930 – streaming service (default with 8 threads per port)
UDP 6969 – Two Stage Boot (If ISO or USB is used)
And also I’m missing the PVS to PVS communication:
UDP 6890-6909 – PVS Inter-Server communication
Please correct me if I’m wrong
Best Regards,
Sebastian
Isn’t 67 only needed for DHCP on PvS? If DHCP is separate from PvS, then isn’t it 4011?
6890-6969 should encompass all of the ports. I always increase the default TD ports from 6910-6968. But if 6890-6909 is only used between servers then I could clarify that.
Hi Carl,
actually it’s the other way round.
Port 4011 will be used if PXE is on the same machine as DHCP. And port 67 is used if it’s separated (PXE Broadcast). I just added port 67 explicit for the sake of completeness. 🙂
And yes, 6890-6909 is only used for inter-pvs communication.
Didn’t notice that you wanted to point out the reconfiguration for the streaming ports – sorry!.
But you’re right – it’s a good thing to do! Maybe (to prevent misconfiguration) you should point that the range has to be manually extended and otherwise the configured ports won’t be used.
Best Regards,
Sebastian
Updated. Thanks for noticing.
Hi Carl,
Can we have LDAP and XML service servers in different subnet, from SNIP? I am able to ping the Domain Controller and CITRIX Controller Servers from the NetScaler, however I believe that goes through the NetScaler IP.
If yes, how can we configure the communication between SNIP to LDAP, DNS & XML Service? Using Gateway Routes?
Regards,
Swapnil
If the NetScaler is not connect to the same subnet as the back-end servers then NetScaler will send the packets through a router. If you only have one connected interface then it will go through the default gateway. If you have multiple subnets then you need to configure the routing table correctly.
Hi Carl, thanks for the article.
What would be the required ports to acces the SVM GUI from and the administrator´s machine?, and the same to the Xenserver IP?
And also, does the Netscaler GUI versión 11 still requieres the java ports?
You would want 22, 80, and 443 to access SVM and XenServer.
In 11 and newer, Java is not needed from the administrator machine. But still needed in 10.5 build 56 and older.
Hello CArl.
Thanks for article. I need a help for NS. Netscaler MPX appliiance version 11 or version 10.5.6 can configure as a layer 4 firewall. So i need a link or document from citrix website that Netscaler ‘s certfification approved by global authorities? Thanks for help.
I don’t think NetScaler is intended as a L4 firewall. It has ACLS and other security features but that’s not the purpose of the appliance. I always put firewalls in front my NetScalers.
If the SQL server instance is not default named..servers use UDP1434 to connect to database
Added. Thanks.
hi,
which source IP (on the netscaler) and target port are used for a CERT (smartcard) authentication server policy ?
thanks
A CERT policy should be looking at the contents of the smart care certificate to retrieve the username. I don’t think it communicates with anything.
The SSL vServer would have Client Certificates enabled. This compares the client certificate signature with a CA certificate that is bound to the SSL vServer. Optionally, you can configure CRL checking (direct or through OCSP) that would require communication with external servers. I’m guessing it uses the SNIP but I’m not sure. If you are able to set this up in a lab, run nstcpdump.sh on the NetScaler to see which IP it is using for CRL checking.
yes you’re right, i have just discovered the same thing. THanks for your quick reply !
Hi,
very good article, I think that DNS by default use NSIP (it’s like the authentication flow). Netscaler uses SNIP only in case of LB internal rules….
To verify the source IP, SSH to NetScaler, run
shell, runnstcpdump.sh port 53. Do something on NetScaler to cause a DNS query and you’ll see the Source IP.