System requirements

While waiting for Citrix to provision Endpoint Management, be sure to prepare for your Endpoint Management deployment by installing Cloud Connector. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port setup is required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory.

Cloud Connector requirements

Citrix uses Cloud Connector to integrate the Endpoint Management architecture into your existing infrastructure. Cloud Connector integrates the following resource locations to Endpoint Management securely over port 443: LDAP, PKI Server, internal DNS queries, and Citrix Workspace enumeration.

  • At least two dedicated Windows Server 2012 R2 or Windows Server 2016 machines that are joined to your Active Directory domain. The machines can be virtual or physical. The machine where you are installing the Connector must be in sync with UTC time for proper installation and operation. For a full list of the latest requirements, see the deployment materials provided by your Citrix Account Team.

    The onboarding wizard guides you through installing Cloud Connector on those machines.

  • For more platform system requirements, see Citrix Cloud Connector.

Citrix Gateway requirements

Endpoint Management requires a Citrix Gateway installed in your resource location for the following scenarios:

  • You require a micro VPN for access to internal network resources for line of business apps. Those apps are wrapped with Citrix MDX technology. The micro VPN needs Citrix Gateway to connect to internal back-end infrastructures.
  • You plan to use Citrix mobile productivity apps, such as Citrix Secure Mail.
  • You plan to integrate Endpoint Management with Microsoft Intune/EMS.

The requirements:

For information, see the Citrix Support article How to Add an SSL Certificate Bundle on the NetScaler Appliance.

For information about NetScaler requirements, see the deployment materials provided by your Citrix Account Team.

Citrix Files requirements

Citrix Files file sync and sharing services are available in the Endpoint Management Premium Service offering. StorageZones Controller extends the Citrix Files software as a service (SaaS) cloud storage by providing your Citrix Files account with private data storage.

StorageZones Controller requirements:

  • A dedicated physical or virtual machine
  • Windows Server 2012 R2 or Windows Server 2016
  • 2 vCPUs
  • 4 GB RAM
  • 50 GB hard disk space
  • Server roles for Web Server (IIS):

    • Application Development: ASP. NET 4.5.2
    • Security: Basic Authentication
    • Security: Windows Authentication

Citrix Files platform requirements:

  • The Citrix Files installer requires administrative privileges on the Windows Server
  • Citrix Files Admin user name

Port requirements

To enable devices and apps to communicate with Endpoint Management, you open specific ports in your firewalls. The following diagram shows the traffic flow for Endpoint Management.

Diagram of Endpoint Management traffic flow

The following sections list the ports that you must open.

Citrix Gateway port requirements

Open ports to allow user connections from Citrix Secure Hub and Citrix Workspace through Citrix Gateway to:

  • Endpoint Management
  • StoreFront
  • Other internal network resources, such as intranet websites

For more information about Citrix Gateway, see Configuration Settings for your Endpoint Management Environment in the Citrix Gateway documentation. For information about IP addresses owned by NetScaler, see How a NetScaler appliance communicates with clients and servers in the NetScaler documentation. That section includes information about the NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP Port Description Source Destination
53 (TCP and UDP) Used for DNS connections. Citrix Gateway SNIP DNS server
80/443 Citrix Gateway passes the micro VPN connection to the internal network resource through the second firewall. Citrix Gateway SNIP Intranet websites
123 (TCP and UDP) Used for Network Time Protocol (NTP) services. Citrix Gateway SNIP NTP server
389 Used for insecure LDAP connections. Citrix Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Microsoft Active Directory
443 Used for connections to StoreFront from Citrix Workspace to Citrix Virtual Apps and Desktops. Internet Citrix Gateway
443 Used for connections to Endpoint Management for web, mobile, and SaaS app delivery. Internet Citrix Gateway
443 Used for Cloud Connector communication – LDAP, DNS, PKI & Citrix Workspace enumeration Cloud Connector Servers https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.blob.core.windows.net/, https://*.servicebus.windows.net
636 Used for secure LDAP connections. Citrix Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Active Directory
1494 Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open. Citrix Gateway SNIP Citrix Virtual Apps and Desktops
1812 Used for RADIUS connections. Citrix Gateway NSIP RADIUS authentication server
2598 Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open. Citrix Gateway SNIP Citrix Virtual Apps and Desktops
3269 Used for Microsoft Global Catalog secure LDAP connections. Citrix Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Active Directory
8443 Used for enrollment, app store, and mobile app management (MAM). Citrix Gateway SNIP Endpoint Management
8443 Secure Ticket Authority (STA) port used for Secure Mail authentication token Citrix Gateway SNIP Endpoint Management
4443 Used for accessing the Endpoint Management console by an administrator through the browser. Access point (browser) Endpoint Management

Network and firewall requirements

To enable devices and apps to communicate with Endpoint Management, you open specific ports in your firewalls. The following tables list those ports.

Open ports from the internal network to Citrix Cloud:

TCP port Source IP Description Destination Destination IP
443   Cloud Connector https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.sharefile.com, https://cwsproduction.blob.core.wind ows.net/downloads, https://*.servicebus.windows.net  
443   Administrative Console https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.citrix.com, https://cwsproduction.blob.core.windows.net/downloads  
4443   Endpoint Management console access through a browser Endpoint Management  

Open ports from the Internet to the DMZ:

TCP port Description Source IP Destination Destination IP
443 Endpoint Management Client Device   Citrix Gateway IP  
443 Endpoint Management Client Device   NetScaler VIP Citrix Files  
443 Citrix Files Public IP CTX208318 NetScaler VIP Citrix Files  

Open ports from the DMZ to the internal network:

TCP port Description Source IP Destination Destination IP
389 or 636 NetScaler NSIP   Active Directory IP  
53 (UDP) NetScaler NSIP   DNS Server IP  
443 NetScaler SNIP   Exchange (EAS) Server IP  
443 NetScaler SNIP   Internal Web Apps/Services  
443 NetScaler SNIP   StorageZone Controller IP  

Open ports from the internal network to the DMZ:

TCP port Description Source IP Destination Destination IP
443 Admin Client   NetScaler NSIP  

Open ports from the internal network to the Internet:

TCP port Description Source IP Destination Destination IP
443 Exchange (EAS) Server IP   Endpoint Management Push Notification Listeners (1)  
443 StorageZone Controller IP   Citrix Files Control Plane CTX208318

(1) us-east-1.mailboxlistener.xm.citrix.com, eu-west-1.mailboxlistener.xm.citrix.com, ap-southeast-1.mailboxlistener.xm.citrix.com

Open ports from the corporate WiFi to the Internet:

TCP port Description Source IP Destination Destination IP
5223 Endpoint Management Client Device   Apple APNS Servers 17.0.0.0/8
5228 Endpoint Management Client Device   Google Cloud Messaging android.apis.google.com
5229 Endpoint Management Client Device   Google Cloud Messaging android.apis.google.com
5230 Endpoint Management Client Device   Google Cloud Messaging android.apis.google.com
443 Endpoint Management Client Device   Windows Push Notification Service *.notify.windows.com
443 / 80 Endpoint Management Client Device   Apple iTunes App Store ax.itunes.apple.com, *.mzstatic.com, vpp.itunes.apple.com
443 / 80 Endpoint Management Client Device   Google Play play.google.com, android.clients.google.com, android.l.google.com
443 / 80 Endpoint Management Client Device   Microsoft App Store login.live.com, *.notify.windows.com
443 Endpoint Management Client Device   Endpoint Management AutoDiscovery Service ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older)
8443 / 443 Endpoint Management Client Device   Endpoint Management  
443 StorageZone Controller IP   Citrix Files Control Plane CTX208318

Port requirement for Auto Discovery Service connectivity

This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Endpoint Management AutoDiscovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note

ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, complete the following prerequisites:

  • Collect Endpoint Management server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:

FQDN IP address Port IP and port usage
ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older) 52.5.138.94 443 Secure Hub - ADS Communication
ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older) 52.1.30.122 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.194.83.188 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.193.202.23 443 Secure Hub - ADS Communication