Firewall policy for Citrix DaaS Flex
Citrix opens or closes the following ports for inbound and outbound traffic.
Citrix-managed virtual network with non-domain-joined machines
-
Citrix specifies the IP range: The managed VNet contains a single subnet with the whole range. Connectors and VDAs are placed into the subnet together and traffic is segregated using service tags.
- Inbound rules
- Deny all inbound: This includes intra-virtual network traffic from VDA to VDA.
- Outbound rules
- Allow all traffic outbound.
Citrix-managed virtual network with domain-joined machines
-
The customer specifies the IP range. The managed VNet contains a single subnet with the whole range. Connectors and VDAs are placed into the subnet together and traffic is segregated using service tags.
-
Inbound rules:
- Allow ports 80, 443, 1494, and 2598 inbound internally to the VDAs and Connectors.
- Allow ports 49152-65535 inbound to the VDAs from customer’s network connection used by the Monitor shadowing feature. See Communications Ports Used by Citrix Technologies.
- Deny all other inbound.
-
Outbound rules
- Allow all traffic outbound.
- Can be modified using custom routes.
Customer-managed virtual network with domain-joined machines
-
It is up to the customer to configure their virtual network correctly. This includes opening the following ports for domain joining.
- Inbound rules:
- Allow inbound on 443, 1494, 2598 from their client IPs for internal launches.
- Allow inbound on 53, 88, 123, 135-139, 389, 445, 636 from Citrix virtual network (IP range specified by customer) to the domain controller, DNS server, and so on.
- Allow inbound on ports opened with a proxy configuration.
- Other rules created by the customer.
-
Outbound rules:
- Allow outbound on 443, 1494, 2598 to the Citrix virtual network (IP range specified by customer) for internal launches.
- Other rules created by the customer.
Firewall policy when using the image builder or troubleshooting tools
When a customer uses the image builder or requests the creation of a bastion machine for troubleshooting, the following security group modifications are made to the Citrix-managed virtual network:
- Temporarily allow 3389 inbound from the customer-specified IP range to the image builder VM or bastion.
- If using a bastion machine, temporarily allow 3389 inbound from the bastion IP address to any address in the virtual network (VDAs and Cloud Connectors).
- Continue to block RDP access between the Cloud Connectors, VDAs, and other VDAs.
When a customer enables RDP access for troubleshooting, the following security group modifications are made to the Citrix-managed virtual network:
- Temporarily allow 3389 inbound from the customer-specified IP range to any address in the virtual network (VDAs and Cloud Connectors).
- Continue to block RDP access between the Cloud Connectors, VDAs, and other VDAs.