Firewall ports

The App Layering appliance communicates with your hypervisor, provisioning service, and the App Layering agent. This article details the ports that the appliance uses to communicate both internally with other App Layering-related services, and externally with servers, such as NTP servers. Be sure to open the necessary ports in your firewall before you install the App Layering appliance.

The App Layering installer opens ports that the appliance needs to interact with services on the virtual server where it is hosted. If there is a firewall between the App Layering appliance and the machine on which you are running the App Layering agent or one of the App Layering connectors, you must manually open the port in the firewall used for that purpose. If during installation you changed any of the ports from the default setting, be sure to open the correct port.

The App Layering appliance uses the TCP/IP protocol, and IPv4 is required. There are three main classes of communication:

  • Accessing and managing the appliance.
  • Talking to other App Layering agent service.
  • Talking directly to hypervisors that don’t require the agent.


The App Layering appliance must be connected to a network file share.

Admin user

By default, App Layering uses he following ports in your firewall for the Admin User to interact with the Management console on the App Layering appliance virtual machine.

App Layering appliance

The connector services for the various hypervisors and provisioning services listed below all run on the App Layering appliance.

App Layering Destination Activity Protocol Ports
Appliance Management console TCP 80, 443
Appliance Administrator log download TCP 8888
Azure connector service Communication TCP 3000 (HTTP), 3500 (HTTPS)
Citrix Provisioning connector service Communication TCP 3009 (HTTP), 3509 (HTTPS)
vSphere connector service Communication TCP 3004 (HTTP), 3504 (HTTPS)
Citrix Hypervisor connector service Communication TCP 3002 (HTTP), 3502 (HTTPS)
Hyper-V connector service Communication TCP 3011 (HTTP), 3511 (HTTPS)
Nutanix connector service Communication TCP 3006 (HTTP), 3506 (HTTPS)

Internal Connections

By default, the App Layering service uses the following ports in your firewall for internal connections between the appliance and each of the destinations listed below.

In the table, the following shorthand is used:

  • Appliance - The App Layering appliance. This is the virtual appliance.
  • Agent - refers to the App Layering agent.
  • Admin user - A management console user who is assigned the App Layering Admin role.
App Layering Source App Layering Destination Activity Protocol Ports
Agent Appliance Initial registration TCP 443
Appliance Agent Communication TCP 8016
Agent Appliance Log deliveries from agent TCP 8787
Appliance vCenter, ESXI hosts Communication with datastore via ESXI host TCP 443
Agent Appliance Communication with datastore via ESXI host TCP 8888
Agent Appliance Log gathering TCP 14243
Appliance Active directory LDAP TCP 389, 636
Admin user Appliance Azure connector communication TCP 3000 (HTTP), 3500 (HTTPS)
Appliance Azure Communication TCP 443
Admin user, Agent on Citrix Provisioning server Appliance Citrix Provisioning connector communication TCP 3009 (HTTP), 3509 (HTTPS)
Admin user Appliance Hyper-V connector communication TCP 30011 (HTTP), 3511 (HTTPS)
Appliance Hyper-V Communication TCP 443
Admin user Appliance vSphere connector communication TCP 3004 (HTTP), 3504 (HTTPS)
Appliance vSphere Communication TCP 443
Admin user Appliance Citrix Hypervisor connector communication TCP 3002 (HTTP), 3502 (HTTPS)
Appliance Citrix Hypervisor Communication TCP 5900
Admin user Appliance Nutanix connector communication TCP 3006 (HTTP), 3506 (HTTPS)
Appliance Prism Communication TCP 9440

External connection

By default, uses the following port in your firewall for external connections between the App Layering appliance and the destination listed below.


These URLs are only accessible by the appliance using the credentials defined for it. Attempting to browse these sites will result in an error message.

App Layering Destination Activity Protocol Ports API Access TCP 443 Download upgrade media TCP 80

OS image, a Citrix Hypervisor requirement

Destination Activity Protocol Ports
Citrix Hypervisor Communication TCP 5900

Key ports

Basic appliance management and access (always required)

  • HTTP - Port 80
  • HTTPS - Port 443
  • SSH - Port 22
  • Log downloads - Port 8888


  • Active Directory server - Port 389 - LDAP protocol
  • Active Directory server - Port 636 - LDAPS protocol
  • Active Directory server - Port 53 - DNS protocol
  • Windows file servers, SMB - port 445 - SMB protocol
  • Network time servers - Port 123 - NTP protocol
  • Unix file servers - Port 2049 - NFS protocol
  • DHCP server, DHCP - Port 67 - UDP protocol
  • App Layering appliance - Port 68 - DHCP protocol

App Layering agent

  • Agent server to appliance - Port 443 - Registration/HTTPS
  • Agent server to agent server - Port 8016 - Commands from appliance/SOAP
  • Agent server to appliance - Port 8787 - Log export
  • Agent server to appliance - Port 3009 - Citrix Provisioning Disk upload/HTTP
  • Agent server to appliance - Port 3509 - Citrix Provisioning Disk upload/HTTPS

Connectors to hypervisors and provisioning services

Connectors on the appliance allow the appliance to communicate directly with the supported hypervisors and provisioning services.


Connectors in the appliance allow for communications directly to each of the hypervisors.

  • Citrix Hypervisor - Port 5900
  • MS Azure Management - Port 443
  • MS Hyper-V - Port 443
  • Nutanix AHV - Port 9440
  • VMware vSphere - Port 443 - Virtual Center, and ESX hosts for disk transfers

Firewall ports