Citrix ADC and CVAD Firewall Rules

Last Modified: Jul 8, 2021 @ 6:45 am

Navigation

See CTX101810 Communication Ports Used by Citrix Technologies

💡 = Recently Updated

Change Log

Citrix ADC Firewall Rules

From To Protocol / Port Purpose
Administrator machines NSIPs (and/or SNIPs) TCP 22
TCP 80
TCP 443
TCP 3010
TCP 3008
SSH and HTTP/SSL access to NetScaler configuration GUI. TCP 3008/3010 is Java and 3008 is used if traffic is encrypted. Java not needed in 10.5 build 57 and newer.
Administrator machines NetScaler SDX SVM, XenServer TCP 22
TCP 80
TCP 443
To administer NetScaler SDX
Administrator machines NetScaler Lights Out Module TCP 443
TCP 623
TCP 5900
CTX200367
NSIP
SNIP
DNS servers Ping
UDP 53
TCP 53
Ping is used for monitoring. Can be turned off by load balancing on the same appliance.
NSIPs
SNIP
NetScaler MAS TCP 27000
TCP 7279
Pooled Licensing
NSIPs
SNIP
NTP servers UDP 123 NTP
NSIPs
SNIP
Syslog server UDP 514 Syslog
NSIPs callhome.citrix.com
cis.citrix.com
taas.citrix.com
TCP 443 Call Home
NSIPs (default)
SNIP
LDAP Servers(Domain Controllers) TCP 389 (Start TLS)
TCP 636 (Secure LDAP)
Secure LDAP requires certificates on the Domain Controllers. Secure LDAP enables password changes when they expire.SNIP if Load Balanced on same appliance
NSIPs LDAP Servers TCP 389
TCP 636
Monitor Domain Controllers
NSIPs (default)
SNIP
RADIUS servers UDP 1812 RADIUS is used for two-factor authentication. SNIP if Load Balanced on same appliance
SNIP RADIUS servers UDP 1812
Ping
Monitor RADIUS servers
NetScaler SDX Service virtual machine NSIPs Ping
TCP 22
TCP 80
TCP 443
Only if NetScaler VPX runs as a virtual machine on top of NetScaler SDX
Local GSLB Site IP
SNIP
GSLB Site IP (public IP) in other datacenter TCP 3009
TCP 3011
GSLB Metric Exchange Protocol between appliance pairs
NSIPs GSLB Site IP (public IP) in other datacenter TCP 22
TCP 3008
TCP 3010
GSLB Configuration Sync
Local GSLB Site IP
SNIP
All Internet Ping
UDP 53
TCP (high ports)
RTT to DNS Servers for Dynamic Proximity determination
SNIP StoreFront Load Balancing VIP TCP 443 NetScaler Gateway communicates with StoreFront
SNIP StoreFront servers TCP 80
TCP 443
TCP 808
StoreFront Load Balancing
NSIPs StoreFront servers TCP 80
TCP 443
Monitor StoreFront servers
StoreFront servers NetScaler Gateway VIP (DMZ IP) TCP 443 Authentication callback from StoreFront server to NetScaler Gateway.
SNIP Each individual Delivery Controller in every datacenter TCP 80
TCP 443
Secure Ticket Authorities. This cannot be load balanced.
TCP 443 only if certificates are installed on the Delivery Controllers.
SNIP All internal virtual desktops and session hosts (subnet rule?) TCP 1494
TCP 2598
UDP 1494
UDP 2598
UDP 16500-16509
HDX ICA
Enlightened Data Transport
Session Reliability
UDP Audio
All Internet
All internal users
NetScaler Gateway VIP (public IP) TCP 80
TCP 443
UDP 443
Connections from browsers and native Receivers
DTLS for UDP Audio
All Internet
All internal DNS servers
SNIP ADNS Listener (Public IP) UDP 53
TCP 53
ADNS (for GSLB)
Web logging server NSIPs TCP 3010 Web logging polls the NetScalers.
NSIPs NetScaler MAS or other SNMP Trap Destination UDP 161
UDP 162
SNMP Traps
NSIPs
SNIP
NetScaler MAS or other AppFlow Collector UDP 4739
TCP 5557, 5558
TCP 5563
AppFlow (IPFIX, Logstream, and Metrics)
NSIP mfa.cloud.com
trust.citrixworkspacesapi.net
TCP 443 Native OTP Push (DNS required)
  • Authentication traffic uses NSIPs by default. This can be changed by creating a local Load Balancing Virtual Server on the same appliance and sending authentication traffic through the Load Balancing VIP.
  • Several of the Load Balancing monitors run as Perl scripts, which are sourced from the NSIPs, not SNIP. But actual load balancing traffic uses SNIP as the source IP.
  • DNS Name Servers use ping for monitoring. This can be disabled by creating a local Load Balancing Virtual Server on the same appliance and sending DNS traffic through the load balancer.
  • In a ADC with a dedicated management network and default route on a different data network, configure Policy Based Routes (PBRs) to send NSIP-sourced traffic through a router on the NSIP subnet.
  • Logstream defaults to SNIP as source but can be changed to NSIP. See CTX286215.

Citrix ADM Firewall Rules

Citrix Application Delivery Management (ADM) monitors and manages the ADC appliances.

From To Protocol / Port Purpose
ADM Floating IP
ADM Agent
NSIPs Ping
TCP 22
TCP 80
TCP 443
Discovery and configuration of ADC devices
NSIPs ADM Floating IP
ADM Agent
TCP 80
TCP 443
Nitro
ADM (Primary, Secondary) NSIPs UDP 161 SNMP
ADM Agents ADM Floating IP TCP 443
TCP 7443
TCP 8443
Agent Communication
NSIPs ADM Floating IP
ADM Agent
UDP 4739 AppFlow
SNIP ADM Floating IP
ADM Agent
TCP 5563 Metrics Collector
NSIPs
SNIP
ADM Floating IP
ADM Agent
TCP 5557, 5558 Logstream (ULFD)
NSIPs ADM Floating IP
ADM Agent
UDP 161
UDP 162
SNMP Traps
NSIPs ADM Floating IP
ADM Agent
UDP 514 Syslog
CPX NSIPs
VPX NSIPs
ADM Floating IP
ADM Agent
TCP 27000
TCP 7279
Pooled Licensing
Administrator Machines ADM Floating IP
ADM Agent
TCP 22
TCP 80
TCP 443
Web-based GUI
Director Servers ADM Floating IP TCP 80
TCP 443
Insight Integration with Director
ADM LDAP(S)
LDAP(S) VIP
TCP 389
TCP 636
LDAP authentication
ADM Mail Server TCP 25 Email alerts
ADM NTP Server UDP 123 NTP
ADM Syslog Server UDP 514 Syslog

Citrix Virtual Apps and Desktops Firewall Rules

From To Protocol / Port Purpose
Administrator machines Delivery Controllers TCP 80/443
TCP 3389
PowerShell
RDP
Delivery Controllers SQL Server TCP 1433
UDP 1434
Other static port
SQL database
Delivery Controllers vCenter TCP 443 vCenter
Delivery Controllers SCVMM (Hyper-V) TCP 8100 SCVMM
Delivery Controllers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
Citrix Licensing
StoreFront servers Delivery Controllers TCP 80
TCP 443
XML
Secure Ticket Authority
StoreFront servers StoreFront servers TCP 808 Subscription Replication
StoreFront servers Domain Controllers in Trusted Domains TCP 88
TCP 135
TCP 445
TCP 389/636
TCP 49151-65535
RPC
Discussions
Administrator machines StoreFront servers TCP 3389 RDP
Administrator machines Citrix Licensing TCP 8082-8083
TCP 3389
Web-based administration GUI
RDP
Delivery Controllers All VDAs TCP 80 Brokering
All VDAs Delivery Controllers TCP 80 Registration
All VDAs Global Catalogs
(Domain Controllers)
TCP 3268 Registration
All Server OS VDAs Remote Desktop Licensing Server RPC and SMB Remote Desktop Licensing
All Workspace apps
(Internal)
StoreFront SSL Load Balancing VIP TCP 80
TCP 443
Internal access to StoreFront
All Workspace apps Citrix Gateway VIP TCP 80
TCP 443
External (or internal) access to Citrix Gateway
All Workspace apps
(Internal)
All VDAs TCP 1494
UDP 1494
TCP 2598
UDP 2598
UDP 16500-16509
ICA/HDX
EDT
Session Reliability
UDP Audio
Administrator machines Director TCP 3389 RDP
Administrator machines
Help Desk machines
Director TCP 80
TCP 443
Web-based GUI
Director Delivery Controllers TCP 80
TCP 443
Director
Administrator machines
Help Desk machines
All VDAs TCP 135
TCP 3389
Remote Assistance

Also see Microsoft Technet Which ports are used by a RDS 2012 deployment?

Citrix Provisioning Firewall Rules

From To Protocol / Port Purpose
Provisioning Servers SQL Server TCP 1433
UDP 1434
Other static port
SQL database for Provisioning Services
Provisioning Servers Provisioning Servers SMB File copy of vDisk files
Provisioning Servers Provisioning Servers UDP 6890-6909 Inter-server communication
Provisioning Servers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
Provisioning Servers Controllers TCP 80
TCP 443
Setup Wizards to create machines
Provisioning Servers vCenter TCP 443 Setup Wizards to create machines
Provisioning Servers Target Devices UDP 6901
UDP 6902
UDP 6905
Provisioning Services Console Target Device power actions (e.g. Restart)
Administrator machines Provisioning Servers TCP 3389
TCP 54321
TCP 54322
TCP 54323
RDP
SOAP
Controllers Provisioning Servers TCP 54321
TCP 54322
TCP 54323
Add machines to Catalog
Target Devices DHCP Servers UDP 67 DHCP
Target Devices KMS Server TCP 1688 KMS Licensing
Target Devices Provisioning Servers UDP 69
UDP 67/4011
UDP 6910-6969
TFTP
PXE
Streaming (expanded port range)
Target Devices Provisioning Servers UDP 6969
UDP 2071
Two-stage boot (BDM)
Target Devices Provisioning Servers TCP 54321
TCP 54322
TCP 54323
Imaging Wizard to SOAP Service

113 thoughts on “Citrix ADC and CVAD Firewall Rules”

  1. Hi Carl, I’ve been a long time follower of your site and have been very helpful to my journey as a Citrix admin. I have a question about putting a CDN (Cloudflare) in front of my Citrix Gateway for ICA proxy. We’re able to logon and authenticate to the portal but we’re experiencing failure in lauching the .ICA files. Is there a configuration in ADC that could allow the .ICA traffic to flow properly when launching Citrix Apps from the ADC portal?

    1. I don’t think ICA traffic works through an SSL decryption/inspection device.

      One option is to have separate Gateway vServers for StoreFront and ICA. You can decrypt StoreFront, but ICA can’t be decrypted. Use Optimal Gateway Routing to send ICA traffic through the second Gateway.

  2. Hi,

    We noticed that when using PVS console to start/stop/restart services on other devices, there is traffic on port 135 (that stands for RPC) and 49800+ ports (these looks like dynamic). Are you aware of this requirement?

    1. PVS Console on one PVS server sending a service restart command to a different PVS server? Isn’t that how services.msc works? Or “sc” works?

      1. We have a development, it was RPC return traffic, we used default RPC windows firewall policy, and now it works.

  3. Hi Carl,

    For the ADCs I think you forgot UDP 7000 for Cluster Heart Beat Exchange, am I right?

    Regards,
    Hong

  4. Hi Carl,

    do you want to extend your list with infos regarding push-otp? Are you able to check with citrix if it’s adc’s NSIP or SNIP which should be able to communicate to mfa.cloud.com and trust.citrixworkspaceapi.net?

    “On premises Citrix ADC appliances must be able to resolve server addresses mfa.cloud.com and trust.citrixworkspacesapi.net and are accessible from the appliance. This is to ensure that there are no firewalls or IP address blocks for these servers over port 443” from https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/push-notification-otp.html

    Thanks in advance
    Regards
    Julian

    1. Thanks for the suggestion. I just added it.

      You can run nstcpdump.sh to confirm the source IP. I suspect it is NSIP.

  5. NSIP is in the same subnet as the DNS server so directly connected, no SNIP in this subnet. I can ping the nameserver from a SSH session however the ADC marks it in the GUI as down. Nameserver itself is working fine.

  6. Worth mentioning that if you use multi-stream ICA, you will need to ensure the additional ports are open on the FW between ADC and VDAs. This applies to both TCP and, if using EDT via ADC, UDP traffic. eg. 2598-2601 TCP and UDP.

  7. Hello Carl,
    We have netscaler in cloud environment behind public loadbalancer. Recently ee also taken WAF as 3rd party SaaS in front of load balancer. Now every traffic should firstly go to WAF and then LB and the. Netscaler.. question is can we allow only WAF ips as source in netscaler and deny all other traffic which might come throw public LB directly ?

    1. Hi, Did you get this to work? Im having the same problem when I move the WAF in front of the Netscaler Gateway. I doubt that the Netscaler supports a reverse proxy architecture. Highly appreciate if you can share your experience/workarounds found in your case.

        1. Hi, thanks for replying. Did you get it to work in reverse proxy architecture? I assume that the WAF is acting as a reverse proxy and offloading SSL. And the citrix sees all requests as if they were originated by WAF’s IP?

          Thanks

          1. Hi, did you ever manage to work out the reverse proxy architecture? I’m currently seeing exactly the same behaviour in an environment we have recently built out.

  8. Hi, how about SNMP Pooling? Is it possible for port 161 and 162 on ADC 13.0? Can it be used for SCOM 2012 to discover as well?

    1. Hi Carl, how about SNMP Polling? Is it possible for port 161 and 162 on ADC 13.0? Can it be used for SCOM 2012 to discover as well?

  9. Hi Carl,

    A million thanks for filling in the gaps on Citrix documentation.

    I wanted to share a bizarre experience related to your comment about the NSIP being in a dedicated management network.

    We configured a pair of Netscaler Gateways with NSIPs on interface 0/1 in a dedicated management network. We configured these Netscalers to send syslog traffic to a server in a different network, which the NSIP couldn’t route to. (The NSIP doesn’t have a default gateway configured. Nor does it have a static route configured to the syslog server.) We weren’t seeing the syslog traffic getting to the syslog server, so I took a packet trace.

    The trace showed the syslog traffic coming from the NSIP and going to the appropriate syslog server IP. On closer inspection, I realized it was actually spoofing the NSIP onto the 1/1 interface, which is associated with the SNIP. This works, of course, because syslog is UDP and doesn’t do any session handling. Unfortunately, the SNIP interface sits behind a firewall, which saw the IP spoofing and dropped the packets. As soon as we allowed the NSIP on that SNIP VLAN in the firewall, the syslog traffic started flowing. As you pointed out, we could force that syslog traffic over the NSIP by adding a static route to the syslog server via the default gateway in the NSIP dedicated management VLAN. In reading elsewhere (https://support.citrix.com/article/CTX227648), it sounds like we could also use a NetProfile to force the traffic to come from the SNIP.

    I hope this information will help support your comment about NSIP being in a dedicated management network with a default gateway in a different network.

    -Mike

  10. Hello Carl,

    I just have a small query which i want to clarify and hope you can help me here.

    I am currently setting up Netscaler gateway for external access and want to check if i can use port 4444 instead of standard port 443 for external access?

    The reason I’m asking is because i have only one public IP which i have used up for exchange and cannot afford another one.

    Please advise.

    Thanks,
    Pavan

    1. Most features should work fine on a custom port, but I found that OTP Push registration does not work correctly on a custom port. That means you should test it. Also, be aware that some client networks block non-standard ports.

  11. hi carl, i always appreciate your effort.
    i have a question.
    is it possible to change port number of SSH?
    port number 22 –> another? is it possible..?

    Thank you

    1. The file /etc/sshd_config has a port number configuration. Not sure if changing this works on NetScaler. Not sure if changing it is supported since there are tools like NetScaler MAS that use SSH to connect to NetScaler.

  12. Hello Carl,
    As always thanks for your massive insight (no pun intended…ok I’m lying). I have a point of confusion about http redirect. I have setup http redirect on NetScaler VPX 12.x.x using the loadbalancer down method. It doesn’t work . These are some newbie questions:
    1. For external connections what does my firewall have to allow? I assume TCP 80 on the IP address of the external URL?
    2. Presumably this is sent to the downed LB on the NS? That is gateway_IP:Port 80?

    If I telnet once this is done is this a legitimate way of testing and do you know what I should expect to see?

    Again I apologize for the novice questions.

    Sidebar and off topic: Do you have any posts on configuring interfaces for MPX out of the box – trunking etc, I haven’t been able to find any of yours. I need to connect a new MPX out of the box to a switch and Citrix docs arent very helpful.

  13. Hi Carl,

    Im hoping you can help with this question I have. I’m looking to setup SNIP for a subnet that is behind a firewall. If I were top add a SNIP address from that subnet, do firewall ports need to be opened for the NetScaler to be able to use the SNIP address that is behind the firewall?

    Apologies, my networking experience is limited.

    Many thanks

    1. Adding a SNIP allows you to bypass the firewall, assuming the NetScaler is connected to the subnet behind the firewall. But is this what your security team really wants? Usually bypassing firewalls is a bad security practice.

      1. Sorry Carl – let me explain a little better – the NetScaler and it’s NSIP is infront of the firewall and the subnet would be behind it. If I assign a SNIP from that subnet, would I need certain ports open on the firewall to allow the NetScaler to use the SNIP?

        Again apologies and many thanks

        1. Is the NetScaler connected to the SNIP subnet? What subnet is the VIP on? If VIP is on one side of the firewall, and if SNIP is on the other side of the firewall, then traffic through the VIP going out the SNIP will bypass the firewall.

          1. Thanks for the prompt reply Carl. It is not directly connected to the SNIP subnet, but it could route to it via the firewall – I’m not sure if certain ports need to be open on the firewall for it to be able to do use the SNIP? It’s like you said – the VIP is on a different Subnet infront of the firewall and SNIP subnet is behind the firewall.

            VIP->NetScaler->Firewall->SNIP->Backend servers.

            Many Thanks

          2. You create a SNIP on a directly connected subnet. You configure a route using a router/firewall on the directly connected subnet. The SNIP communicates to the server through the router/firewall. As for firewall rules, that depends on the app and the port numbers you are load balancing.

        2. You can only add SNIPs on subnets that the NetScaler is actually connected to. But you can easily add routes for any non-connected subnet.

  14. Hey Carl, to implement remote pc access through the netscaler, do i need to open up port 80 to each client pc from the netscaler ?
    Thanks
    Gary

    1. Port 80 is needed from the Delivery Controllers, but not from the NetScaler. Only the ICA ports are needed from NetScaler.

      1. Cool, thanks for the prompt reply Carl, do i need to open up the ica ports between the client pc and the netscaler also ?

  15. Hi Carl,

    I’m looking for some guidance on configuring a netscaler VPX 1000 for external access.
    Currently I have this running in a VM with 3 NICs:

    1st NIC 192.168.76.0/24
    2nd NIC 192.168.75.0/24
    3rd NIC 192.168.1.0/24

    NetScaler IP: 192.168.76.252/24 VLAN bound to 1nd NIC (0/1)
    Subnet IP: 192.168.75.251/24 VLAN bound to 2nd NIC (1/1)
    Subnet IP: 192.168.1.251/24 VLAN bound to 3rd NIC (1/2)
    NetScaler Gateway Virtual Server: 192.168.1.60/24

    From the netscaler, I can ping IP addresses on all 3 networks above as well as the router/firewall on 192.168.1.1.

    When setting up the NetScaler gateway for XenApp and XenDesktop, everything is working fine internally to 192.168.1.60/24. I’m able to telnet and open https://192.168.1.60, login to the netscaler my credentials and see/access the published apps.

    When I try to add port forwarding in my router/firewall [192.168.1.1] to 192.168.1.60/24 on port 80/443, I’m unable to access the netscaler externally on the public IP on port 80/443. Telnet to either port 80/443 isn’t working.

    If I port forward directly to my storefront server [192.168.1.25] on port 80/443, I can connect fine so I know the port forwarding rules are fine.

    Looking through various articles, I can’t see much wrong with the config. Hope you can help.

    Kind regards,

    Mark.

    1. What is the default route (0.0.0.0)? It should be pointing to the router that can access the Internet.

      Or, you can enable Mac Based Forwarding to override the routing table for replies.

      1. Hi Carl,

        This is exactly what the issue was. It is now resolved by creating a new default route for 0.0.0.0 to 192.168.1.1 and removing the default route for 0.0.0.0 to 192.168.75.1.

        192.168.75.1 being the IP of my Hyper-V vEthernet adapter

        What was misleading me, was the fact I could ping, connect, and resolve out to the internet. This is most likely because of the nat I setup on the 192.168.75.0/24 network.

        Many thanks for your prompt response, and thank for you all the effort you put into this site.

        Kind regards,

        Mark.

  16. what is port use for Telemetry service , After migrate from 7.8 to 7.15 PVS found console hung , restarted the SOAP service,restarted server no luck

  17. Hi Carl,

    I’d like to point out one thing in regards the firewall rule definitions for the “Insight Integration with Director” for the NetScaler MAS Firewall Rules as well as Insight Center Firewall Rules sections.

    Generally speaking, the connectivity is required from server on which Director is installed, which would commonly be separate from DDC in any mid-size to large deployments.
    As far as I know, connectivity between DDC and MAS / Insight Center is required only if Director is installed on the same machine as DDC.

    Also, it is possible to run the connectivity over HTTP, although HTTPS is recommended.

    Regards

  18. Hi Carl,

    Basic question about DNS / name resolution on Netscaler.

    I have a netscaler with two interface (Internal vs External) / Two arm mode?.
    Is it possible to send name resolution query to respective DNS server. Example InternalDomain.local should go to Internal DNS (192.168.1.1) and Externaldomain.com should go to External dns (171.168.123.122) . How?

    Regards,
    Kamal

  19. Hi Carl, Thanks for your awesome blog for the community
    I need to use SNIP for all communications (including monitor) to back end environment. Is it possible to achieve?
    1. Understand that the Netscaler uses SNIP to communicate to back end DNS, LDAP, NTP etc (if configured as LB VIP) and uses NSIP IP as source for monitor probes. To force all traffic (including monitor traffic), Is it possible to configure Net profile? If we do that, will it force all traffic through SNIP?
    2. SNIP IP can be enabled for management which means NSIP is not required to log/manage NetScaler and Putty can be enabled only for SNIP?
    3. With regards to creating Local LB VIP for LDAP, DNS, RADIUS etc inside NetScaler, Is it possible to use non routable IP as LB VIPs like 1.1.1.1 or 1.2.3.4?. This is to avoid requesting more IPs from network team

      1. 3. With regards to creating Local LB VIP for LDAP, DNS, RADIUS etc inside NetScaler, Is it possible to use non routable IP as LB VIPs like 1.1.1.1 or 1.2.3.4?. This is to avoid requesting more IPs from network team?

        Can this be done Carl or do we need to use routable IPs for LB VIPs?

          1. Hi Carl, We are experiencing issues in accessing XD VDI using IGEL thin clients. I can luanch the same VDI using our laptop. Both the laptop and IGELs are in same VLAN. IGELs are pointed to internal storefront LB. If I point the iGEL to netscaler gateway URL, it is working fine. Any thoughts

          2. Yes it was working earlier and stopped working since April and user was living with Laptop access. All our VDIs are TLS 1.2 encrypted so we are getting the generic error message as “You have chosen not to trust “QuoVadis Global SSL ICA G3”, the issuer of the server’s security certificate (SSL error 61).”. However, when I turn off SSL and it is throwing different error as “Unable to reach the xenapp server in the specified address”.

            Thanks

  20. Thank you very much Carl for your prompt reply. I have one more question
    In the environment I am working on, All servers are locked with individual Windows firewall rules applied through group policy. By default, all incoming and outgoing ports are blocked with only exceptions configured through GPO.
    I can get the incoming ports to be opened (for example 80;443 on controller, 27000 on license server etc) from the article but the security team are requiring Source Ports.
    In other words, the team also need outgoing ports on servers. For example, Licensing server
    Incoming Port –
    TCP 27000
    TCP 7279
    TCP 8082-8083
    TCP 80
    Outgoing Port— need clarification
    For Example, If Controller is connecting to license server,
    Source port – Dynamic (Any port between 1025-55555) – Is it possible to lock it down to range?
    Destination port- 27000.
    After license validation when the traffic returns from license server to VDA, Will the port be reversed?
    Source Port – 27000?
    Destination port – Dynamic port?

    1. That’s a very unusual request. There’s nothing Citrix-specific about that request. How do you do it for other firewall rules? When a browser connects to a web server on port 80, how do you limit the source ports used by the browser?

      1. This is what I thought. I am new to the environment.
        For my understanding, On the license server, If only the below incoming ports are opened
        Incoming Port –
        TCP 27000
        TCP 7279
        TCP 8082-8083
        TCP 80
        And all the outgoing ports are blocked, Will it have any impact on licensing? Similarly for other servers/services..

        Thanks again:)

        1. Outgoing packets from the destination machines are replies. Stateful firewalls should handle replies automatically. The destination machines do not initiate connections in the other direction, except for Controllers initiating connections to VDAs, and VDAs initiating connections to Controllers.

          1. It is clear now Carl. Thanks for clarifying this.
            You mentioned “The destination machines do not initiate connections in the other direction, except for Controllers initiating connections to VDAs, and VDAs initiating connections to Controllers.”
            Is this also true for connection between SF and controller as well? (XML query and XML response)

          2. I meant, the connection between SF and Director is also both way (XML query and response), correct?

          3. SF and Director don’t communicate with each other. But both talk to a Controller.

  21. Hi Carl,
    Thanks for the article. Really useful. I am working on a setup where Citrix MGMT servers (controllers; SF; directors) and VDA are on separate subnets and I can’t use port 80 anywhere. Either I need to use 443 or a different port. I could see in 5 places port 80 is used by default which I need to change. I have mentioned that below. Please add if I miss any
    1. From Controller to All VDAs – TCP80 For registration; I read, it is encrypted by WCF); To configure port 8080, change VDA port (8080) from VDA agent and changing on controller by using brokerservice.exe command
    2. From SF to Controller (XML) – TCP 80 (Bi) For XML brokering – To configure 443, Apply Cert on controller, Run PS command to use only 443; On SF, configure Cert; modify store to add FQDN of controller and port 443
    3. From All VDAs to Controller – TCP 80 for brokering; do I need to configure this separately? Or will step 1 ensure that this traffic also flow on 8080?
    4. From AdminPC to Controller – TCP 80 for powershell; How to configure this? Since controller is configured with cert (step 2), will this communication also goes in 443?
    5. From NS-SNIP to Controller(STA) – TCP 80 for STA tickets; How to configure this? Since controller is configured with cert (step 2), will this communication also goes in 443?

    1. 1. That’s correct.
      2. That’s correct.
      3. Step 1 covers it
      4. BrokerService.exe /sdkport. Then I think you have to specify the port in the -AdminAddress parameter for every PowerShell command.
      5. Step 2 covers it.

      1. Thank you very much Carl for your prompt reply. I presume for point 4, after changing the SDK port, I need to provide the new port number when launching studio (it will ask to specify delivery controller address)
        I have also seen in this blog that I got to configure /sdkport change for all other controller services (Host.exe, Monitor.exe service etc) as indicated in this https://blog.citrix24.com/xendesktop-how-to-change-used-ports/
        I will give it a try.

  22. Hi Carl,

    with NetScaler SDX 11.1-54.14, I noticed there’s a Console Access Option shown with NetScaler > Instances. Do you know which port is used here? I kicked off a tcpdump while trying to Access those VPX Console Shows only https communication. As https is opened w/ our firewalls, I can’t access the VPX Consoles though.

    Cheers,
    Jochen

  23. Carl,

    When creating a rule for a firewall to allow netscaler traffic, what application is using the port 7105? We are getting a ica error when opening up a session. We followed the ports needed\listed but found out that for some reason this port was not listed in the requirements.

    1. UDP? Or TCP? If UDP, could be an Audio port.

      If you run “nstcpdump.sh port 7105” on the NetScaler, do you see it sending that port?

      1. Thank you for the response.

        We had our Boundary protection team watching the traffic and gathering the data. From what we have seen in the data, that port is allowed now. But we still receive the error.

        We have users from other locations that are able to use the Netscaler with no problems. What we are thinking is that at some point our Boundary team removed the rule allowing this site access due to lack of use. The site in question is our backup site. The rules were not supposed to be changed or removed.

        What I am going to ask our team to do is compare the FW rules between the sites and the proxy server as well to ensure that they are set the same.

  24. Hi Carl, please add 54321-54323 from target device to PVS Servers console ports, SOAP Service, used by Imaging Wizards.
    Thanks for all

  25. Hi All, I have setup netscaler 11.1 vpx on AWS and everything is fine but when launching applications it doesn happen. From directly storefront its working fine. I just came to know that 2598/1494 is getting reset itself by delivery controller. Every ports are allowed but still these two ports are getting reset itself. Please suggest if you have any solutions.

  26. Hi Carl,

    We are using Netscaler MPX5500 in our citrix environment. Our environment is secure through SSL VPN and WAF. Client . Client wants to present the StoreFront directly out to the internet and and therefore relieve ourselves of the dependency on the NetScalers.What would we gain and what would we lose? My concern here is how we secure our environment without netscaler ? How we do the encryption to secure https connections without netscaler.

  27. Hi Carl

    Thanks for all information.

    In our environment we are able to telnet( on 3009, 3010, 3011 and 22) from Site A to Site B but vice versa is not happening for GSLB setup. As per Network guy GSLB services are not running on Site A as they are unable to telnet from FW(in btw SiteA and SiteB) to SiteA. Whereas same is happening from FW to SiteB. However we have installed the GSLB service properly while configuring. I have also tested to telnet on self GSLB Site A IP via same GSLB ports and fails which indicates some issues in GSLB services in Site 1 but unable guess where it could be. Please can you help me with a hint or possible configuration to check?

    Thanks in advance.

  28. Hi carl, What is the difference between Local GSLB Site IP SNIP and SNIP? Firewall ports mentioned in this blog are for SNIP? I have a requirement to setup GSLB.

  29. Hey Carl,

    This was GREAT help for me.

    Quick question though, I have a LAB with a 3 legged scenario: 1 Subnet for Management (NSIPs), One subnet for DMZ, and another Subnet for backend services (LAN).

    In this case, since I am isolating management, I notice that the source for the perl scripts is the SNIP, not the NSIPs. Is this normal behavior?

  30. Hi Carls,
    is there any ports to be opened between NSIP and SNIP.
    If the two ips are in different subnets.

  31. Hey Carl, thanks for the Information.

    I have one Questions for NetScaler VPN.

    Which Firewall Ports are needed for the VPN Setup? My NetScaler is in DMZ with a VPN vServer. Is only Port 443 to my StoreFront from my SNIP needed? Because I think “Any” from my SNIP to my LAN cannot be a Resolution…

    Thanks an best Regards
    Mark

    1. What traffic is going across the VPN tunnel?

      If you aren’t doing Intranet IPs, then everything comes from the SNIP and SNIP needs access to everything the users need to access.

      If you are doing Intranet IPs, then you open firewall from the Intrnaet IP to the whatever the users need to access.

    1. Are you asking for a firewall rule if you’re using a different TFTP server than the one installed on PvS?

  32. cannot rollback the fw rule now…customer has strict change mgmt for that..(read “the process to heavy so will leave it there for now) but this must be tested elsewhere

  33. Access from StoreFront nodes version 3.6 to NS LB VIP needs to be open on port 443 and https.
    Found out this the hard way…it seems the SF nodes need access to /discover url. I am not sure this has to do with the new 3.6 feature “no need for hostfile modification” stuff but worth mentioning maybe in the FW rules

  34. Hi Carl,
    great article! But I think there is something missing in the PVS section.

    You wrote:

    TargetDevices -> Provisioning Servers
    UDP 69 – TFTP
    UDP 4011 – PXE
    UDP 6890-6969 – Streaming

    But shouldn’t it be more like this:

    TargetDevices -> Provisioning Servers
    UDP 69 – TFTP
    UDP 4011/67 – PXE/Broadcast
    UDP 6910 – Target Device logon at PVS
    UDP 6910-6930 – streaming service (default with 8 threads per port)
    UDP 6969 – Two Stage Boot (If ISO or USB is used)

    And also I’m missing the PVS to PVS communication:

    UDP 6890-6909 – PVS Inter-Server communication

    Please correct me if I’m wrong

    Best Regards,
    Sebastian

    1. Isn’t 67 only needed for DHCP on PvS? If DHCP is separate from PvS, then isn’t it 4011?

      6890-6969 should encompass all of the ports. I always increase the default TD ports from 6910-6968. But if 6890-6909 is only used between servers then I could clarify that.

      1. Hi Carl,
        actually it’s the other way round.
        Port 4011 will be used if PXE is on the same machine as DHCP. And port 67 is used if it’s separated (PXE Broadcast). I just added port 67 explicit for the sake of completeness. 🙂

        And yes, 6890-6909 is only used for inter-pvs communication.
        Didn’t notice that you wanted to point out the reconfiguration for the streaming ports – sorry!.
        But you’re right – it’s a good thing to do! Maybe (to prevent misconfiguration) you should point that the range has to be manually extended and otherwise the configured ports won’t be used.

        Best Regards,
        Sebastian

  35. Hi Carl,

    Can we have LDAP and XML service servers in different subnet, from SNIP? I am able to ping the Domain Controller and CITRIX Controller Servers from the NetScaler, however I believe that goes through the NetScaler IP.

    If yes, how can we configure the communication between SNIP to LDAP, DNS & XML Service? Using Gateway Routes?

    Regards,
    Swapnil

    1. If the NetScaler is not connect to the same subnet as the back-end servers then NetScaler will send the packets through a router. If you only have one connected interface then it will go through the default gateway. If you have multiple subnets then you need to configure the routing table correctly.

  36. Hi Carl, thanks for the article.
    What would be the required ports to acces the SVM GUI from and the administrator´s machine?, and the same to the Xenserver IP?
    And also, does the Netscaler GUI versión 11 still requieres the java ports?

    1. You would want 22, 80, and 443 to access SVM and XenServer.

      In 11 and newer, Java is not needed from the administrator machine. But still needed in 10.5 build 56 and older.

  37. Hello CArl.

    Thanks for article. I need a help for NS. Netscaler MPX appliiance version 11 or version 10.5.6 can configure as a layer 4 firewall. So i need a link or document from citrix website that Netscaler ‘s certfification approved by global authorities? Thanks for help.

    1. I don’t think NetScaler is intended as a L4 firewall. It has ACLS and other security features but that’s not the purpose of the appliance. I always put firewalls in front my NetScalers.

  38. hi,
    which source IP (on the netscaler) and target port are used for a CERT (smartcard) authentication server policy ?

    thanks

    1. A CERT policy should be looking at the contents of the smart care certificate to retrieve the username. I don’t think it communicates with anything.

      The SSL vServer would have Client Certificates enabled. This compares the client certificate signature with a CA certificate that is bound to the SSL vServer. Optionally, you can configure CRL checking (direct or through OCSP) that would require communication with external servers. I’m guessing it uses the SNIP but I’m not sure. If you are able to set this up in a lab, run nstcpdump.sh on the NetScaler to see which IP it is using for CRL checking.

  39. Hi,
    very good article, I think that DNS by default use NSIP (it’s like the authentication flow). Netscaler uses SNIP only in case of LB internal rules….

    1. To verify the source IP, SSH to NetScaler, run shell, run nstcpdump.sh port 53. Do something on NetScaler to cause a DNS query and you’ll see the Source IP.

Leave a Reply

Your email address will not be published. Required fields are marked *