System requirements

While waiting for Citrix to provision Endpoint Management, be sure to prepare for your Endpoint Management deployment by installing Cloud Connector. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port setup is required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory.

Cloud Connector requirements

Citrix uses Cloud Connector to integrate the Endpoint Management architecture into your existing infrastructure. Cloud Connector integrates the following resource locations to Endpoint Management securely over port 443: LDAP, PKI Server, internal DNS queries, and Citrix Workspace enumeration.

  • At least two dedicated Windows Server 2012 R2 or Windows Server 2016 machines that are joined to your Active Directory domain. The machines can be virtual or physical. The machine where you are installing the Connector must be in sync with UTC time for proper installation and operation. For a full list of the latest requirements, see the deployment materials provided by your Citrix Account Team.

    The onboarding wizard guides you through installing Cloud Connector on those machines.

  • For more platform system requirements, see Citrix Cloud Connector.

NetScaler Gateway requirements

Endpoint Management requires a NetScaler Gateway installed in your resource location for the following scenarios:

  • You require a micro VPN for access to internal network resources for line of business apps. Those apps are wrapped with Citrix MDX technology. The micro VPN needs NetScaler Gateway to connect to internal back-end infrastructures.
  • You plan to use Citrix mobile productivity apps, such as Citrix Secure Mail.
  • You plan to integrate Endpoint Management with Microsoft Intune/EMS.

The requirements:

For information, see the Citrix Support article How to Add an SSL Certificate Bundle on the NetScaler Appliance.

For information about NetScaler requirements, see the deployment materials provided by your Citrix Account Team.

ShareFile requirements

ShareFile file sync and sharing services are available in the Endpoint Management Premium Service offering. ShareFile StorageZones Controller extends the ShareFile software as a service (SaaS) cloud storage by providing your ShareFile account with private data storage.

ShareFile StorageZones Controller requirements:

  • A dedicated physical or virtual machine
  • Windows Server 2012 R2 or Windows Server 2016
  • 2 vCPUs
  • 4 GB RAM
  • 50 GB hard disk space
  • Server roles for Web Server (IIS):

    • Application Development: ASP. NET 4.5.2
    • Security: Basic Authentication
    • Security: Windows Authentication

ShareFile platform requirements:

  • The ShareFile installer requires administrative privileges on the Windows Server
  • ShareFile Admin user name

Port requirements

To enable devices and apps to communicate with Endpoint Management, you open specific ports in your firewalls. The following diagram shows the traffic flow for Endpoint Management.

Diagram of Endpoint Management traffic flow

The following sections list the ports that you must open.

NetScaler Gateway port requirements

Open ports to allow user connections from Citrix Secure Hub and Citrix Workspace through NetScaler Gateway to:

  • Endpoint Management
  • StoreFront
  • Other internal network resources, such as intranet websites

For more information about NetScaler Gateway, see Configuration Settings for your Endpoint Management Environment in the NetScaler Gateway documentation. For information about IP addresses owned by NetScaler, see How a NetScaler Communicates with Clients and Servers in the NetScaler documentation. That section includes information about the NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP Port Description Source Destination
53 (TCP and UDP) Used for DNS connections. NetScaler Gateway SNIP DNS server
80/443 NetScaler Gateway passes the micro VPN connection to the internal network resource through the second firewall. NetScaler Gateway SNIP Intranet websites
123 (TCP and UDP) Used for Network Time Protocol (NTP) services. NetScaler Gateway SNIP NTP server
389 Used for insecure LDAP connections. NetScaler Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Microsoft Active Directory
443 Used for connections to StoreFront from Citrix Workspace to XenApp and XenDesktop. Internet NetScaler Gateway
443 Used for connections to Endpoint Management for web, mobile, and SaaS app delivery. Internet NetScaler Gateway
443 Used for Cloud Connector communication – LDAP, DNS, PKI & Citrix Workspace enumeration Cloud Connector Servers https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.blob.core.windows.net/, https://*.servicebus.windows.net
636 Used for secure LDAP connections. NetScaler Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Active Directory
1494 Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open. NetScaler Gateway SNIP XenApp and XenDesktop
1812 Used for RADIUS connections. NetScaler Gateway NSIP RADIUS authentication server
2598 Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open. NetScaler Gateway SNIP XenApp and XenDesktop
3269 Used for Microsoft Global Catalog secure LDAP connections. NetScaler Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Active Directory
8443 Used for enrollment, app store, and mobile app management (MAM). NetScaler Gateway SNIP Endpoint Management
8443 Secure Ticket Authority (STA) port used for Secure Mail authentication token NetScaler Gateway SNIP Endpoint Management
4443 Used for accessing the Endpoint Management console by an administrator through the browser. Access point (browser) Endpoint Management

Network and firewall requirements

To enable devices and apps to communicate with Endpoint Management, you open specific ports in your firewalls. The following tables list those ports.

Open ports from the internal network to Citrix Cloud:

TCP port Source IP Description Destination Destination IP
443   Cloud Connector https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.sharefile.com, https://cwsproduction.blob.core.wind ows.net/downloads, https://*.servicebus.windows.net  
443   Administrative Console https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.citrix.com, https://cwsproduction.blob.core.windows.net/downloads  
4443   Endpoint Management console access through a browser Endpoint Management  

Open ports from the Internet to the DMZ:

TCP port Description Source IP Destination Destination IP
443 Endpoint Management Client Device   NetScaler Gateway IP  
443 Endpoint Management Client Device   NetScaler VIP ShareFile  
443 ShareFile Public IP CTX208318 NetScaler VIP ShareFile  

Open ports from the DMZ to the internal network:

TCP port Description Source IP Destination Destination IP
389 or 636 NetScaler NSIP   Active Directory IP  
53 (UDP) NetScaler NSIP   DNS Server IP  
443 NetScaler SNIP   Exchange (EAS) Server IP  
443 NetScaler SNIP   Internal Web Apps/Services  
443 NetScaler SNIP   ShareFile StorageZone Controller IP  

Open ports from the internal network to the DMZ:

TCP port Description Source IP Destination Destination IP
443 Admin Client   NetScaler NSIP  

Open ports from the internal network to the Internet:

TCP port Description Source IP Destination Destination IP
443 Exchange (EAS) Server IP   Endpoint Management Push Notification Listeners (1)  
443 ShareFile StorageZone Controller IP   ShareFile Control Plane CTX208318

(1) us-east-1.mailboxlistener.xm.citrix.com, eu-west-1.mailboxlistener.xm.citrix.com, ap-southeast-1.mailboxlistener.xm.citrix.com

Open ports from the corporate WiFi to the Internet:

TCP port Description Source IP Destination Destination IP
5223 Endpoint Management Client Device   Apple APNS Servers 17.0.0.0/8
5228 Endpoint Management Client Device   Google Cloud Messaging android.apis.google.com
5229 Endpoint Management Client Device   Google Cloud Messaging android.apis.google.com
5230 Endpoint Management Client Device   Google Cloud Messaging android.apis.google.com
443 Endpoint Management Client Device   Windows Push Notification Service *.notify.windows.com
443 / 80 Endpoint Management Client Device   Apple iTunes App Store ax.itunes.apple.com, *.mzstatic.com, vpp.itunes.apple.com
443 / 80 Endpoint Management Client Device   Google Play play.google.com, android.clients.google.com, android.l.google.com
443 / 80 Endpoint Management Client Device   Microsoft App Store login.live.com, *.notify.windows.com
443 Endpoint Management Client Device   Endpoint Management AutoDiscovery Service ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older)
8443 / 443 Endpoint Management Client Device   Endpoint Management  
443 ShareFile StorageZone Controller IP   ShareFile Control Plane CTX208318

Port requirement for Auto Discovery Service connectivity

This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note

ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, complete the following prerequisites:

  • Collect Endpoint Management server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:

FQDN IP address Port IP and port usage
ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older) 52.5.138.94 443 Secure Hub - ADS Communication
ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older) 52.1.30.122 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.194.83.188 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.193.202.23 443 Secure Hub - ADS Communication