Navigation
- Change Log
- Citrix ADC Firewall Rules
- Citrix ADM Firewall Rules
- Citrix Virtual Apps and Desktops Firewall Rules
- Citrix Provisioning Firewall Rules
See CTX101810 Communication Ports Used by Citrix Technologies
💡 = Recently Updated
Change Log
- 2020 Nov 13 – CTX286215 How to change Logstream source IP to NSIP on ADC.
- 2020 Oct 17 – ADM – added 443/8443 from ADM Agents to ADM
- 2018 June 11 – MAS Firewall – added MAS Floating IP and MAS Agents
- 2018 June 9 – StoreFront to Domain Controllers in Trusted Domains – added rules from Citrix Discussions
- 2018 June 6 – added NSIP firewall rules for NetScaler MAS Pooled Licensing
- 2018 May 24 – updated Director->HDX Insight firewall rules to indicate Director as the source (Source = Luke in the comments)
Citrix ADC Firewall Rules
| From | To | Protocol / Port | Purpose |
|---|---|---|---|
| Administrator machines | NSIPs (and/or SNIPs) | TCP 22 TCP 80 TCP 443 TCP 3010 TCP 3008 |
SSH and HTTP/SSL access to NetScaler configuration GUI. TCP 3008/3010 is Java and 3008 is used if traffic is encrypted. Java not needed in 10.5 build 57 and newer. |
| Administrator machines | NetScaler SDX SVM, XenServer | TCP 22 TCP 80 TCP 443 |
To administer NetScaler SDX |
| Administrator machines | NetScaler Lights Out Module | TCP 443 TCP 623 TCP 5900 |
CTX200367 |
| NSIP SNIP |
DNS servers | Ping UDP 53 TCP 53 |
Ping is used for monitoring. Can be turned off by load balancing on the same appliance. |
| NSIPs SNIP |
NetScaler MAS | TCP 27000 TCP 7279 |
Pooled Licensing |
| NSIPs SNIP |
NTP servers | UDP 123 | NTP |
| NSIPs SNIP |
Syslog server | UDP 514 | Syslog |
| NSIPs | callhome.citrix.com cis.citrix.com taas.citrix.com |
TCP 443 | Call Home |
| NSIPs (default) SNIP |
LDAP Servers(Domain Controllers) | TCP 389 (Start TLS) TCP 636 (Secure LDAP) |
Secure LDAP requires certificates on the Domain Controllers. Secure LDAP enables password changes when they expire.SNIP if Load Balanced on same appliance |
| NSIPs | LDAP Servers | TCP 389 TCP 636 |
Monitor Domain Controllers |
| NSIPs (default) SNIP |
RADIUS servers | UDP 1812 | RADIUS is used for two-factor authentication. SNIP if Load Balanced on same appliance |
| SNIP | RADIUS servers | UDP 1812 Ping |
Monitor RADIUS servers |
| NetScaler SDX Service virtual machine | NSIPs | Ping TCP 22 TCP 80 TCP 443 |
Only if NetScaler VPX runs as a virtual machine on top of NetScaler SDX |
| Local GSLB Site IP SNIP |
GSLB Site IP (public IP) in other datacenter | TCP 3009 TCP 3011 |
GSLB Metric Exchange Protocol between appliance pairs |
| NSIPs | GSLB Site IP (public IP) in other datacenter | TCP 22 TCP 3008 TCP 3010 |
GSLB Configuration Sync |
| Local GSLB Site IP SNIP |
All Internet | Ping UDP 53 TCP (high ports) |
RTT to DNS Servers for Dynamic Proximity determination |
| SNIP | StoreFront Load Balancing VIP | TCP 443 | NetScaler Gateway communicates with StoreFront |
| SNIP | StoreFront servers | TCP 80 TCP 443 TCP 808 |
StoreFront Load Balancing |
| NSIPs | StoreFront servers | TCP 80 TCP 443 |
Monitor StoreFront servers |
| StoreFront servers | NetScaler Gateway VIP (DMZ IP) | TCP 443 | Authentication callback from StoreFront server to NetScaler Gateway. |
| SNIP | Each individual Delivery Controller in every datacenter | TCP 80 TCP 443 |
Secure Ticket Authorities. This cannot be load balanced. TCP 443 only if certificates are installed on the Delivery Controllers. |
| SNIP | All internal virtual desktops and session hosts (subnet rule?) | TCP 1494 TCP 2598 UDP 1494 UDP 2598 UDP 16500-16509 |
HDX ICA Enlightened Data Transport Session Reliability UDP Audio |
| All Internet All internal users |
NetScaler Gateway VIP (public IP) | TCP 80 TCP 443 UDP 443 |
Connections from browsers and native Receivers DTLS for UDP Audio |
| All Internet All internal DNS servers |
SNIP ADNS Listener (Public IP) | UDP 53 TCP 53 |
ADNS (for GSLB) |
| Web logging server | NSIPs | TCP 3010 | Web logging polls the NetScalers. |
| NSIPs | NetScaler MAS or other SNMP Trap Destination | UDP 161 UDP 162 |
SNMP Traps |
| NSIPs SNIP |
NetScaler MAS or other AppFlow Collector | UDP 4739 TCP 5557, 5558 TCP 5563 |
AppFlow (IPFIX, Logstream, and Metrics) |
| NSIP | mfa.cloud.com trust.citrixworkspacesapi.net |
TCP 443 | Native OTP Push (DNS required) |
- Authentication traffic uses NSIPs by default. This can be changed by creating a local Load Balancing Virtual Server on the same appliance and sending authentication traffic through the Load Balancing VIP.
- Several of the Load Balancing monitors run as Perl scripts, which are sourced from the NSIPs, not SNIP. But actual load balancing traffic uses SNIP as the source IP.
- DNS Name Servers use ping for monitoring. This can be disabled by creating a local Load Balancing Virtual Server on the same appliance and sending DNS traffic through the load balancer.
- In a ADC with a dedicated management network and default route on a different data network, configure Policy Based Routes (PBRs) to send NSIP-sourced traffic through a router on the NSIP subnet.
- Logstream defaults to SNIP as source but can be changed to NSIP. See CTX286215.
Citrix ADM Firewall Rules
Citrix Application Delivery Management (ADM) monitors and manages the ADC appliances.
| From | To | Protocol / Port | Purpose |
|---|---|---|---|
| ADM Floating IP ADM Agent |
NSIPs | Ping TCP 22 TCP 80 TCP 443 |
Discovery and configuration of ADC devices |
| NSIPs | ADM Floating IP ADM Agent |
TCP 80 TCP 443 |
Nitro |
| ADM (Primary, Secondary) | NSIPs | UDP 161 | SNMP |
| ADM Agents | ADM Floating IP | TCP 443 TCP 7443 TCP 8443 |
Agent Communication |
| NSIPs | ADM Floating IP ADM Agent |
UDP 4739 | AppFlow |
| SNIP | ADM Floating IP ADM Agent |
TCP 5563 | Metrics Collector |
| NSIPs SNIP |
ADM Floating IP ADM Agent |
TCP 5557, 5558 | Logstream (ULFD) |
| NSIPs | ADM Floating IP ADM Agent |
UDP 161 UDP 162 |
SNMP Traps |
| NSIPs | ADM Floating IP ADM Agent |
UDP 514 | Syslog |
| CPX NSIPs VPX NSIPs |
ADM Floating IP ADM Agent |
TCP 27000 TCP 7279 |
Pooled Licensing |
| Administrator Machines | ADM Floating IP ADM Agent |
TCP 22 TCP 80 TCP 443 |
Web-based GUI |
| Director Servers | ADM Floating IP | TCP 80 TCP 443 |
Insight Integration with Director |
| ADM | LDAP(S) LDAP(S) VIP |
TCP 389 TCP 636 |
LDAP authentication |
| ADM | Mail Server | TCP 25 | Email alerts |
| ADM | NTP Server | UDP 123 | NTP |
| ADM | Syslog Server | UDP 514 | Syslog |
Citrix Virtual Apps and Desktops Firewall Rules
| From | To | Protocol / Port | Purpose |
| Administrator machines | Delivery Controllers | TCP 80/443 TCP 3389 |
PowerShell RDP |
| Delivery Controllers | SQL Server | TCP 1433 UDP 1434 Other static port |
SQL database |
| Delivery Controllers | vCenter | TCP 443 | vCenter |
| Delivery Controllers | SCVMM (Hyper-V) | TCP 8100 | SCVMM |
| Delivery Controllers | Citrix Licensing | TCP 27000 TCP 7279 TCP 8082-8083 |
Citrix Licensing |
| StoreFront servers | Delivery Controllers | TCP 80 TCP 443 |
XML Secure Ticket Authority |
| StoreFront servers | StoreFront servers | TCP 808 | Subscription Replication |
| StoreFront servers | Domain Controllers in Trusted Domains | TCP 88 TCP 135 TCP 445 TCP 389/636 TCP 49151-65535 |
RPC Discussions |
| Administrator machines | StoreFront servers | TCP 3389 | RDP |
| Administrator machines | Citrix Licensing | TCP 8082-8083 TCP 3389 |
Web-based administration GUI RDP |
| Delivery Controllers | All VDAs | TCP 80 | Brokering |
| All VDAs | Delivery Controllers | TCP 80 | Registration |
| All VDAs | Global Catalogs (Domain Controllers) |
TCP 3268 | Registration |
| All Server OS VDAs | Remote Desktop Licensing Server | RPC and SMB | Remote Desktop Licensing |
| All Workspace apps (Internal) |
StoreFront SSL Load Balancing VIP | TCP 80 TCP 443 |
Internal access to StoreFront |
| All Workspace apps | Citrix Gateway VIP | TCP 80 TCP 443 |
External (or internal) access to Citrix Gateway |
| All Workspace apps (Internal) |
All VDAs | TCP 1494 UDP 1494 TCP 2598 UDP 2598 UDP 16500-16509 |
ICA/HDX EDT Session Reliability UDP Audio |
| Administrator machines | Director | TCP 3389 | RDP |
| Administrator machines Help Desk machines |
Director | TCP 80 TCP 443 |
Web-based GUI |
| Director | Delivery Controllers | TCP 80 TCP 443 |
|
| Director Administrator machines Help Desk machines |
All VDAs | TCP 135 TCP 3389 |
Remote Assistance |
Also see Microsoft Technet Which ports are used by a RDS 2012 deployment?
Citrix Provisioning Firewall Rules
| From | To | Protocol / Port | Purpose |
| Provisioning Servers | SQL Server | TCP 1433 UDP 1434 Other static port |
SQL database for Provisioning Services |
| Provisioning Servers | Provisioning Servers | SMB | File copy of vDisk files |
| Provisioning Servers | Provisioning Servers | UDP 6890-6909 | Inter-server communication |
| Provisioning Servers | Citrix Licensing | TCP 27000 TCP 7279 TCP 8082-8083 TCP 80 |
Citrix Licensing |
| Provisioning Servers | Controllers | TCP 80 TCP 443 |
Setup Wizards to create machines |
| Provisioning Servers | vCenter | TCP 443 | Setup Wizards to create machines |
| Provisioning Servers | Target Devices | UDP 6901 UDP 6902 UDP 6905 |
Provisioning Services Console Target Device power actions (e.g. Restart) |
| Administrator machines | Provisioning Servers | TCP 3389 TCP 54321 TCP 54322 TCP 54323 |
RDP SOAP |
| Controllers | Provisioning Servers | TCP 54321 TCP 54322 TCP 54323 |
Add machines to Catalog |
| Target Devices | DHCP Servers | UDP 67 | DHCP |
| Target Devices | KMS Server | TCP 1688 | KMS Licensing |
| Target Devices | Provisioning Servers | UDP 69 UDP 67/4011 UDP 6910-6969 |
TFTP PXE Streaming (expanded port range) |
| Target Devices | Provisioning Servers | UDP 6969 UDP 2071 |
Two-stage boot (BDM) |
| Target Devices | Provisioning Servers | TCP 54321 TCP 54322 TCP 54323 |
Imaging Wizard to SOAP Service |
Hi Carl, I’m referring the firewall rules from “All internet users” to “NetScaler Gateway VIP” with allowing ports “TCP 80/443 and UDP 443”. Curios that from the NetScaler/Citrix article {https://community.citrix.com/tech-zone/build/tech-papers/citrix-communication-ports} doesn’t seems got mention any UDP 443 information, and the link that you provide {https://discussions.citrix.com/topic/361759-udp-audio-through-netscaler-with-dtls/#entry1865386} cannot be reached.
Just to check from your lab does work with UDP 443 setup?
UDP 443 = EDT (DTLS). https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/hdx-transport/adaptive-transport.html#network-requirements
Hi Carl,
For SAML auth to Azure, do I need any of the URL’s allowed via our proxy from the Netscaler SNIP? The Netscaler is the IDP.
Only if you configured SAML Metadata URLs, which is optional.