Product Documentation

Connect through a firewall

Network firewalls can allow or block packets based on the destination address and port. If you are using a firewall in your deployment, Citrix Receiver for Windows must be able to communicate through the firewall with both the Web server and Citrix server.

Common Citrix Communication Ports

Source Type Port Details
Citrix Receiver TCP 80/443 Communication with StoreFront
ICA/HDX TCP 1494 Access to applications and virtual desktops
ICA/HDX with Session Reliabilit TCP 2598 Access to applications and virtual desktops
ICA/HDX over SSL TCP 443 Access to applications and virtual desktops
ICA/HDX from HTML5 Receiver TCP 8008 Access to applications and virtual desktops
ICA/HDX Audio over UDP TCP 16500 - 16509 Port range for ICA/HDX audio
IMA TCP 2512 Independent Management Architecture (IMA)
Management Console TCP 2513 Citrix Management Consoles and *WCF services Note: For FMA based platforms 7.5 and later, port 2513 is NOT used.
Application/Desktop Request TCP 80/8080/443 XML Service
STA TCP 80/8080/443 Secure Ticketing Authority (embedded into XML Service)


In XenApp 6.5 port 2513 is used by XenApp Command Remoting Services through WCF.

If the firewall is configured for Network Address Translation (NAT), you can use the Web Interface to define mappings from internal addresses to external addresses and ports. For example, if your XenApp or XenDesktop server is not configured with an alternate address, you can configure the Web Interface to provide an alternate address to Receiver. Citrix Receiver for Windows then connects to the server using the external address and port number. For more information, see the Web Interface documentation.

Connect through a firewall