Cloud Connector Proxy and Firewall Configuration

The Cloud Connector supports connection to the Internet through a web proxy server. Both the installer and the services it installs need connections to Citrix Cloud. Internet access needs to be available at both these points.

Connectivity requirements

Use port 443 for HTTP traffic, egress only. For a list of required contactable addresses, see Internet Connectivity Requirements. When whitelisting these addresses, wildcards (*) are supported.


Enabling SSL decryption on certain proxies might prevent the Cloud Connector from connecting successfully to Citrix Cloud. For more information about resolving this issue, see CTX221535.


The installer will use the settings configured for internet connections. If you can browse the internet from the machine then the installer should also function.

See Changing proxy server settings in Internet Explorer for details of how to configure the proxy settings.

Services at Runtime

The runtime service operates in the context of a local service. It does not use the setting defined for the user (as described above. You need to import the setting from the browser.

To configure the proxy settings for this, open a Command Prompt window and use netsh as follows:

netsh winhttp import proxy source =ie

After executing the command, restart the Cloud Connector machine so that the services start up with these proxy settings.

For complete details, see Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP).


There is no support for auto-detect or PAC scripts.

Connections to internal resources

Due to Windows proxy configuration, the Cloud Connector may attempt to access internal resources through the web proxy. These resources may not be able to connect to the Cloud Connector and Virtual Apps and Desktops service, even if the required connectivity URLs are whitelisted. Additionally, the web proxy may block connections between the Cloud Connector and Azure Service bus because an IP address is used as a URL in the HTTP Connect command. As a result, some resource functions might fail. For example, Citrix Provisioning can’t create machine catalogs successfully.

To ensure these internal resources can connect as expected, add the FQDN or IP address of each resource to the proxy bypass list on the Cloud Connector machine. For more information about this issue, see CTX241222 in the Citrix Support Knowledge Center.

Cloud Connector Proxy and Firewall Configuration