Product Documentation

XenMobile Port Requirements

Feb 28, 2014

To enable devices and applications to communicate with each XenMobile component, you need to open specific ports in your firewalls. The following tables list the ports that must be open.

Opening Ports for NetScaler Gateway and App Controller

You must open the following ports to allow user connections from Worx Home, Citrix Receiver, and the NetScaler Gateway Plug-in through NetScaler Gateway to App Controller, StoreFront, XenDesktop, the XenMobile NetScaler Connector, and to other internal network resources such as intranet webpages.

TCP port

Description

Source

Destination

21

Used to send support bundles to an FTP server.

App Controller

FTP server

22

Used to transfer logs from App Controller and a network server.

App Controller

Network server

53

Used for DNS connections.

NetScaler Gateway

DNS server

80

NetScaler Gateway passes the VPN connection to the internal network resource through the second firewall. This typically occurs if users log on with the NetScaler Gateway Plug-in.

NetScaler Gateway

Intranet websites

80 or 8080

XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication.

Citrix recommends using port 443.

StoreFront and Web Interface XML network traffic

NetScaler Gateway STA

XenDesktop or XenApp

443

443

Used for Callback URL.

App Controller

NetScaler Gateway

123

Used for Network Time Protocol (NTP) services.

NetScaler Gateway

NTP server

389

Used for insecure LDAP connections.

NetScaler Gateway

LDAP authentication server or Microsoft Active Directory

443

Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop.

Internet

NetScaler Gateway

Used for connections to App Controller for web, mobile, and SaaS application delivery.

Internet

NetScaler Gateway

514

Used for connections between App Controller and a syslog server.

App Controller

Syslog server

636

Used for secure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

1494

Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop

1812

Used for RADIUS connections.

NetScaler Gateway

RADIUS authentication server

2598

Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop

3268

Used for Microsoft Global Catalog insecure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

3269

Used for Microsoft Global Catalog secure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

9080

Used for HTTP traffic between NetScaler and the XenMobile NetScaler Connector.

NetScaler

XenMobile NetScaler Connector

9443

Used for HTTPS traffic between NetScaler and the XenMobile NetScaler Connector.

NetScaler

XenMobile NetScaler Connector

9736

Used for communication between two App Controller VMs when deployed as a high availability pair.

App Controller

App Controller

Opening Device Manager Ports

You must open the following ports to allow Device Manager to communicate in your network.

TCP port Description Source Destination

25

Default SMTP port for the Device Manager notification service. If your SMTP server uses a different port, ensure your firewall does not block that port.

Device Manager

SMTP server

80 or 443

Enterprise App Store connection to Apple iTunes App Store (ax.itunes.apple.com) or Google Play. Used for publishing applications from the app stores through Citrix Mobile Self-Serve on iOS or Worx Home for Android.

Device Manager

Apple iTunes App Store (ax.itunes.apple.com)

Apple Volume Purchase Program (vpp.itunes.apple.com)

80 or 443

Used for outbound connections between Device Manager and Nexmo SMS Notification Relay.

Device Manager

Nexmo SMS Relay Server

389

Used for insecure LDAP connections.

Device Manager

LDAP authentication server or Active Directory

443

Used for enrollment and agent setup for Android and Windows Mobile.

Internet

Device Manager

Used for enrollment and agent setup for Android and Windows Mobile, the Device Manager web console, and MDM Remote Support Client.

Internal LAN and Wi-Fi

1433

Used for connections to a remote database server (optional).

Device Manager

SQL Server

2195

Used for Apple Push Notification Service (APNS) outbound connections to gateway.push.apple.com for iOS device notifications and device policy push.

Device Manager

Internet (APNS hosts using the public IP address 17.0.0.0/8)

2196

Used for APNS outbound connections to feedback.push.apple.com for iOS device notification and device policy push.

5223

Used for APNS outbound connections from iOS devices on Wi-Fi networks to *.push.apple.com.

iOS devices on Wi-Fi networks

Internet (APNS hosts using the public IP address 17.0.0.0/8)

8443

Used for enrollment of iOS devices only.

Internet

Device Manager

LAN and Wi-Fi