Product documentation
Linux Virtual Delivery Agent
Current Release 2507 LTSR 2503 2411 2407 2402 LTSR 2311 2308 2305 2303 2301 2212 2210 2209 2207 2206 2204 2203 LTSR 2201 2112 2110 2109 2107 2106 2104 2103 1912 LTSR 7.15
View PDF

Citrix Linux Virtual Delivery Agent (LVDA) – Network Port Matrix

April 29, 2026
Contributed by: 
C

Core VDA Registration and Control

Source Destination Protocol Port Description
VDA Delivery Controller TCP 80 VDA registration and CXF/WCF communication *1
Delivery Controller VDA TCP 80 / Custom Broker-initiated VDA communication *2

*1 By default, VDA registration uses TCP port 80 for CXF/WCF communication between the VDA and the Delivery Controller. If this port is unavailable or restricted, the registration port can be customized by reconfiguring the Broker services on all Delivery Controllers and updating the VDA to use the same port. Any network firewalls between the VDA and Delivery Controller must allow the configured port. For details, see Citrix documentation.

*2 To configure a custom CXF service port on the VDA, set the following registry value using the ctxreg command: /opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent" -t "REG_DWORD" -v "VdaCxfServicesPort" -d "<port>" --force

Restart service to take affect:

systemctl restart ctxjproxy

systemctl restart ctxvda

ICA / HDX Session Traffic

Source Destination Protocol Port Description
Client VDA TCP 1494 ICA / HDX (default) *3
Client VDA TCP 2598 ICA with Session Reliability
Client VDA TCP 443 ICA over TLS (SSL)
Client VDA UDP 443 HDX Adaptive Transport (EDT)

*3 Note – ICA / HDX Default Port

ICA / HDX connections use TCP port 1494 by default, or TCP 2598 when Session Reliability is enabled. These ports are fixed and are not intended to be arbitrarily changed. If TCP 1494 is restricted, Citrix recommends using ICA over TLS (TCP 443) or HDX Adaptive Transport (UDP 443) instead of modifying the ICA port. See Citrix documentation

HTML5 / Workspace Web Access

Source Destination Protocol Port Description
Client VDA TCP 8008 HTML5 ICA proxy (internal access)
Client VDA TCP 443 HTML5 ICA over TLS

HDX™ Direct for Linux

The following table describes the data center network for internal and external users.

Internal users

Description Protocol Source Source port Destination Destination port
Direct internal connection TCP Client network 1024-65535 VDA network 443
Direct internal connection UDP Client network 1024-65535 VDA network 443

External users

Description Protocol Source Source port Destination Destination port
STUN (external users only) UDP VDA network 1024-65535 Internet (see note below) 3478, 19302
External user connection UDP DMZ / Internal network 1024-65535 VDA network 55000-55250
External user connection UDP VDA network 55000-55250 Client’s public IP 1024-65535

VDA ↔ Citrix Scout / Telemetry (ctxtelemetry)

Source Destination Direction Protocol Port Purpose
Delivery Controller VDA Inbound TCP 7503 Citrix Scout connects to Citrix Telemetry Service (ctxtelemetry) on VDA
VDA Delivery Controller Outbound TCP 7502 Telemetry communication from VDA to Delivery Controller

Note:

  • The Citrix Telemetry Service (ctxtelemetry) listens on TCP 7503 by default.

  • Port 7502 is used on the Delivery Controller side for Scout communication.

  • These ports are required only when Citrix Scout / telemetry collection is used.

VDA Local Database Service (PostgreSQL)

Source Destination Direction Protocol Port Purpose
Local VDA Local VDA Local TCP 5432 Local PostgreSQL service used by VDA components

Note:

  • PostgreSQL listens on TCP port 5432 by default.

  • This port is used locally on the VDA host by PostgreSQL.

  • No external inbound access to this port is required unless explicitly configured.

  • The port may appear as listening on the VDA system during port or security scans.

HDX Screen Sharing

Source Destination Direction Protocol Port Range Description
Client VDA Inbound TCP 52525-52624 HDX Screen Sharing data channel

Note:

  • HDX Screen Sharing is disabled by default and must be enabled via Citrix policies.

  • The usable port range is configurable; the default range is TCP 52525–52624.

  • These ports are used in addition to the standard ICA ports (1494 / 2598).

VDA ↔ Citrix Director

Session Shadowing (Linux VDA)

Source Destination Direction Protocol Port Range Description
VDA Citrix Director Outbound TCP 6001-6099 Session Shadowing (noVNC / WebSocket based)
VDA Citrix Director Outbound TCP 52525-52624 Remote assistance shadow (Screen Sharing based)

Note:

  • Session Shadowing is supported for Linux VDAs only.

  • The feature dynamically selects an available port from 6001–6099.

  • The number of concurrent shadowed sessions is limited by the available ports in this range.

  • These ports must be reachable from the Linux VDA to the Citrix Director client.

Citrix Linux VDA – Summary Network Port Matrix

Core & Feature‑Dependent Ports

Port / Range Protocol Scope Feature / Purpose
80 / Custom TCP VDA ↔ Delivery Controller VDA registration (CXF / WCF)
1494 TCP Client ↔ VDA ICA / HDX (default)
2598 TCP Client ↔ VDA ICA with Session Reliability
443 TCP Client ↔ VDA Secure ICA / HTML5 ICA
443 UDP Client ↔ VDA HDX Adaptive Transport (EDT)
8008 TCP Client ↔ VDA HTML5 ICA (internal access)
52525-52624 TCP VDA ↔ VDA HDX Screen Sharing; configurable by group policy named HDX screen sharing ports
52525-52624 TCP VDA ↔ Citrix Director Remote assistance shadow; configurable by group policy named ‘Remote assistance ports’
6001-6099 TCP VDA ↔ Citrix Director Session Shadowing (Linux VDA)
7503 TCP Delivery Controller ↔ VDA Citrix Scout / Telemetry (ctxtelemetry listen port)
7502 TCP VDA ↔ Delivery Controller Citrix Scout / Telemetry communication
5432 TCP Local VDA Local PostgreSQL service

Opening the Network Port on the VDA

After configuring a custom CXF service port, the corresponding network port must be allowed on the VDA host firewall to ensure successful communication.

The following sections describe how to open a TCP port on supported Linux distributions.

RHEL 8 / RHEL 9 (including Rocky Linux, AlmaLinux)

RHEL‑based distributions use firewalld as the default firewall service.

  • Ensure firewalld is running:

sudo systemctl enable --now firewalld

  • Open the required TCP port (example: <port>):

sudo firewall-cmd --zone=public --add-port=<port>/tcp --permanent

  • Reload the firewall configuration:

sudo firewall-cmd --reload

  • (Optional) Verify that the port is open:

sudo firewall-cmd --query-port=<port>/tcp

Ubuntu 22.04 / Ubuntu 24.04

Ubuntu uses ufw (Uncomplicated Firewall) as the default firewall management tool.

  • Ensure ufw is enabled:

sudo ufw enable

  • Allow the required TCP port (example: <port>):

sudo ufw allow <port>/tcp

  • Reload or verify firewall rules:

sudo ufw reload

sudo ufw status

Note:

  • The firewall configuration must allow inbound TCP traffic on the configured CXF service port.

  • Firewall changes take effect immediately after reload.

  • Opening a port in the firewall does not start a service; it only allows network traffic to reach the VDA.

Miscellaneous

  • Not all ports listed above are required in every deployment.

  • Only ports corresponding to enabled features and local services will be in use.

  • Some ports (for example, Screen Sharing and Session Shadowing) use configurable or dynamic ranges and must be sufficiently sized for concurrent sessions.

  • Port 5432 is used by a local PostgreSQL service on the VDA host and does not imply external database connectivity.

Citrix Linux Virtual Delivery Agent (LVDA) – Network Port Matrix
April 29, 2026
Contributed by: 
C
April 29, 2026
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.