Tech Paper: Communication Ports Used by Citrix Technologies

This article provides an overview of common ports that are used by Citrix components and must be considered as part of networking architecture, especially if communication traffic traverses network components such as firewalls or proxy servers where ports must be opened to ensure communication flow.

Not all ports need to be open, depending on your deployment and requirements.

Citrix ADC

Source	Destination	Type	Port	Details
Citrix ADC NSIP	Citrix ADC Appliances in cluster setup	UDP	7000	Cluster heart beat exchange
	Citrix ADC Appliance (for High Availability)	UDP	3003	Exchange of hello packets for communicating UP/DOWN status (heartbeat)
		TCP	3008	Secure High Availability configuration synchronization
		TCP	3009	For secure MEP.
		TCP	3010	Non-secure high availability configuration synchronization.
		TCP	3011	For non-secure MEP.
		UDP	162	Traps from ADC to Citrix ADM Center
		TCP	22	Used by the rsync process during file synchronization in high availability setup
	DNS Server	TCP, UDP	53	DNS name resolution
	Application Firewall signature URL	TCP	443	Hosted signature updates on AWS
	Bot Management signature URL	TCP	443	Hosted signature updates on AWS
	ADC lights out management	TCP	4001, 5900, 623	Daemon which offers complete and unified configuration management of all the routing protocols
	Integrated Management Interface	TCP, UDP	389	LDAP connection
	Thales HSM	TCP	9004	RFS and Thales HSM
Citrix ADC SNIP	Citrix ADM	UDP	4739	For AppFlow communication
		SNMP	161, 162	To send SNMP events
		Syslog	514	To receive syslog messages in Citrix ADM
		TCP	5557, 5558	For logstream communication from Citrix ADC to Citrix ADM.
Admin Workstation	Citrix ADC NSIP	TCP	80, 443	HTTP or HTTPS - GUI Administration
		TCP	8443	If an HTML client is used, then only 8443 port needs to be open between client and Command Center server. Citrix recommends using an HTML client as much as possible.
		TCP	22	SSH Access

Note:

Depending on the Citrix ADC configuration, network traffic can originate from SNIP, MIP, or NSIP interfaces. If you have configured Citrix ADCs in High Availability mode, Citrix ADM uses the Citrix ADC subnet IP (Management SNIP) address to communicate with Citrix ADC.

Link to application firewall signatures

Link to bot management signatures

Citrix ADM

Source	Destination	Type	Port	Details
Citrix ADM	Citrix ADC NSIP or Citrix SD-WAN instance	TCP	80, 443	For NITRO communication
		TCP	22	For SSH communication
		ICMP	No reserved port	To detect network reachability between Citrix ADM and ADC instances, SD-WAN instances, or the secondary Citrix ADM server deployed in high availability mode.
	Citrix ADM	TCP	22	For synchronization between Citrix ADM servers deployed in high availability mode.
		TCP	5454	Default port for communication, and database synchronization in between Citrix ADM nodes in high availability mode.
	Users	TCP	25	To send SMTP notifications from Citrix ADM to users.
	LDAP external authentication server	TCP	389, 636	Default port for authentication protocol. For communication between Citrix ADM and LDAP external authentication server.
	NTP Server	UDP	123	Default NTP server port for synchronizing with multiple time sources.
	RADIUS external authentication server	RADIUS	1812	Default port for authentication protocol. For communication between Citrix ADM and RADIUS external authentication server.
	TACACS external authentication server	TACACS	49	Default port for authentication protocol. For communication between Citrix ADM and TACACS external authentication server.
Citrix ADC CPX instance	Citrix ADM license server	TCP	27000	License port for communication between Citrix ADM license server and CPX instance.
		TCP	7279	Citrix vendor daemon port.
Citrix ADC SNIP	Citrix ADM	TCP	5563	To receive ADC metrics (counters), system events, and Audit Log messages from Citrix ADC instance to Citrix ADM
		TCP	5557, 5558	For logstream communication (for Security Insight, Web Insight, and HDX Insight) fron Citrix ADC
		UDP	162	To receive SNMP events from Citrix ADC
		UDP	514	To receive syslog messages from Citrix ADC or Citrix SD-WAN instance
		UDP	4739	To receive ADC analytics log data using IPFIX protocol
Citrix ADM	Citrix ADM Agent	TCP	443, 8443, 7443	Port for communication between Citrix ADC agent and Citrix ADM

Note:

If you have configured Citrix ADCs in High Availability mode, Citrix ADM uses the Citrix ADC subnet IP (Management SNIP) address to communicate with Citrix ADC.

Citrix Cloud

The only Citrix component needed to serve as a channel for communication between Citrix Cloud and your resource locations is Citrix Cloud Connector. All connections are established from the Cloud Connector to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are accepted.

Cloud Connectors must be able to connect to Digicert for certificate revocation checks.

Source	Destination	Type	Port	Details
Cloud Connectors	http://*.digicert.com	HTTP	80	Periodic Certificate Revocation List checks
	https://*.digicert.com	HTTPS	443
	https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt	HTTPS	443
	https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt	HTTPS	443

To find the list of addresses that are common to most Citrix Cloud services and their function, refer to product documentation.

Citrix Cloud - Virtual Apps and Desktops Service

Source	Destination	Type	Port	Details
Virtual Delivery Agent	Gateway Service	TCP	443	Rendezvous Protocol
Cloud Connectors	Cloud Connectors			The cloud connector acts as proxy for the Delivery Controller. All ports listed for Delivery Controller to Delivery Controller in the Citrix Virtual Apps and Desktops section also need to be considered.
Cloud Connectors	Virtual Delivery Agent	TCP, UDP	1494	Access to applications and virtual desktops by ICA/HDX. EDT protocol requires 1494 to be open for UDP.
		TCP, UDP	2598	Access to applications and virtual desktops by ICA/HDX with Session Reliability. EDT protocol requires 2598 to be open for UDP.
				The cloud connector acts as proxy for the Delivery Controller. All ports listed for Delivery Controller to VDA in the Citrix Virtual Apps and Desktops section also need to be considered.
Citrix Provisioning Server Console	Cloud Connectors	HTTPS	443	Provisioning Server integration with Citrix Cloud Studio
Citrix License Server	Citrix Cloud	HTTPS	443	Citrix License Server integration with Citrix Cloud
CVAD Remote Powershell SDK	Citrix Cloud	HTTPS	443	Any system running scripts based on the CVAD Remote Powershell SDK
CVAD Remote Powershell SDK	Citrix Cloud	HTTPS	443	Any system running scripts based on the CVAD Remote Powershell SDK

Read more about Citrix License Server integration here. Read more about Citrix Provisioning Server integration here. Read more about the CVAD Remote Powershell SDK here

Citrix Cloud - Gateway Service

By default, the Gateway Service will proxy HDX connections via the Citrix Cloud Connectors, however Rendezvous Protocol changes the flow of HDX connections in an attempt to directly connect the Virtual Delivery Agent to the Gateway Service bypassing the Citrix Cloud Connectors

Rendezvous Protocol and HDX Enlightened Data Transport Protocol (EDT)

Source	Destination	Type	Port	Details
Virtual Delivery Agent	Gateway Service	UDP	443	EDT UDP over 443 to Gateway Service

The Virtual Delivery Agents must have access to https://*.nssvc.net, including all subdomains. Or https://*.c.nssvc.net and https://*.g.nssvc.net.

Note:

If using EDT in Microsoft Azure, UDP must be defined on the Azure Network Security Group (NSG) protecting the Virtual Delivery Agent

Read more about Rendezvous Protocol and HDX Enlightened Data Transport Protocol (EDT) requirements here.

Citrix Cloud - Workspace Environment Management Service

Source	Destination	Type	Port	Details
WEM Agent	WEM Service	HTTPS	443	HTTPS based communication between the WEM Agent and the WEM Service
WEM Agent	Cloud Connector	TCP	443	Registration Traffic for WEM Agents

Read more about Citrix Workspace Environment Management Service requirements here.

Citrix Endpoint Management

Refer to the following link for Citrix Endpoint Management (XenMobile) Ports – Port Requirements.

Citrix Gateway

Source	Destination	Type	Port	Details
Citrix Gateway SNIP	LDAP Server	TCP	636	LDAPS SSL connection
		TCP	3268	LDAP connection to Global Catalog
		TCP	3269	LDAP connection to Global Catalog over SSL
		TCP	389	LDAP plaintext or TLS
	RADIUS Server	UDP	1813	RADIUS accounting
		UDP	1645, 1812	RADIUS connection
	Secure Ticketing Authority (STA)	TCP	80, 8080, 443	Secure Ticketing Authority (embedded into XML Service)
	Virtual Delivery Agent	TCP, UDP	1494	Access to applications and virtual desktops by ICA/HDX. EDT protocol requires 1494 to be open for UDP.
		TCP, UDP	2598	Access to applications and virtual desktops by ICA/HDX with Session Reliability. EDT protocol requires 2598 to be open for UDP.
		TCP, UDP	443	Access to applications and virtual desktops by ICA/HDX over TLS/DTLS.
		TCP	8008	Access to applications and virtual desktops by ICA/HDX from Citrix Workspace app for HTML5
		UDP	16500..16509	ICA/HDX audio over UDP Real-time Transport
	StoreFront	TCP	80, 443	Citrix Gateway communication with StoreFront
Citrix Gateway Plug-in	VPN/CVAD	UDP	3108, 3168, 3188	For VPN tunnel with secure ICA connections
		TCP, UDP	3148	For VPN tunnel with secure ICA connections
Admin Workstation	Citrix Gateway	TCP	80, 443	HTTPS - GUI Administration
		TCP	8443	If an HTML client is used, then only 8443 port needs to be open between client and Command Center server. Citrix recommends using an HTML client as much as possible.
		TCP	22	SSH Access
Citrix Gateway	DNS	TCP, UDP	53	Communication with the DNS server

For more information about required ports for Citrix Gateway in DMZ setup, refer to CTX113250.

Note:

All the above ports are not mandatory, depending on your own configuration.

Citrix Hypervisor

Source	Destination	Type	Port	Details
Citrix Hypervisor	Citrix Hypervisor	TCP	443	Intra-host communication between members of a Resource Pool using XenAPI
	NTP Service	TCP, UDP	123	Time Synchronization
	DNS Service Domain Controller	TCP, UDP TCP	53, 389	DNS User authentication when using Active Directory integration (LDAP)
		TCP	636	LDAP over SSL (LDAPS)
	FileServer	TCP, UDP	139	ISOStore:NetBIOSSessionService
		TCP, UDP	445	ISOStore:Microsoft-DS
	SAN Controller	TCP	3260	iSCSI Storage
	NAS Head/ File Server	TCP	2049	NFS Storage
	Syslog	TCP	514	Sends data to a central location for collation
	Clustering	TCP	8892, 21064	Communication between all pool members in a clustered pool.
		UDP	5404, 5405
Admin Workstation (XenCenter)	Citrix Hypervisor	TCP	22	SSH
		TCP	443	Management using XenAPI
	Virtual Machine	TCP	5900	VNC for Linux Guests
		TCP	3389	RDP for WindowsGuests

Read more about Citrix License Server requirements here.

Note:

If FQDN is used instead of IP as resource, then make sure it is resolvable.

Citrix License Server

Source	Destination	Type	Port	Details
Any Citrix Component	Citrix License Server	TCP	27000	Handles initial point of contact for license requests
		TCP	7279	Check-in/check-out of Citrix licenses
Admin Workstation	Citrix License Server	TCP	8082	Web-based administration console (Lmadmin.exe)
		TCP	8083	Simple License Service port (required for CVAD)
		TCP	80	Licensing Config PowerShell Snap-in Service

Citrix SD-WAN

Source	Destination	Type	Port	Details
SD-WAN Standard and Enterprise Edition	SD-WAN Standard and Enterprise Edition	UDP	4980	Static Virtual Path and Dynamic Virtual Path tunnels between SD-WAN SE/EE devices.
	SD-WAN Center	TCP	2156	Reporting communication between SD-WAN Center and SD-WAN SE/EE devices.
	Citrix Cloud Zero Touch Deployment Service	TCP	443	Authentication communication between SD-WAN devices and Citrix Cloud Services.
	RADIUS	TCP	1812	Default port for authentication protocol. For communication between SD-WAN SE/EE and RADIUS external authentication server.
	TACACS+	TACACS	49	Default port for authentication protocol. For communication between SD-WAN SE/EE and TACACS external authentication server.
	SNMP	UDP	161, 162	SNMP authentication and polling to SD-WAN SE/EE devices.
	NetFlow	UDP	2055	NetFlow polling to SD-WAN SE/EE devices.
	AppFlow (Citrix ADM)	TCP	4739	For AppFlow communication between Citrix ADM and SD-WAN SE/EE devices.
	API	TCP	80, 443	For NITRO API communication to SD-WAN SE/EE devices.
SD-WAN Center	Citrix Cloud Zero Touch Deployment Service	TCP	443	Authentication communication between SD-WAN devices and Citrix Cloud Services.
SD-WAN WANOP Edition	SD-WAN WANOP Edition	TCP	N/A	SD-WAN WO Edition transparently optimizes TCP traffic between two sites. The original source destination and port go unchanged throughout the segments of the network.
	API (Citrix ADM)	TCP	80, 443	For NITRO API communication between Citrix ADM and SD-WAN WANOP devices.
	SSH (Citrix ADM)	TCP	22	For SSH communication between Citrix ADM and SD-WAN WANOP devices.
	AppFlow (Citrix ADM)	TCP	4739	For AppFlow communication between Citrix ADM and SD-WAN WANOP devices.
	Citrix ADM	ICMP	N/A	For network reachability between Citrix ADM and SD-WAN WANOP devices.
	RADIUS	TCP	1812	Default port for authentication protocol. For communication between SD-WAN WO and RADIUS external authentication server.
	TACACS+	TACACS	49	Default port for authentication protocol. For communication between SD-WAN WO and TACACS external authentication server.
	SNMP	UDP	161, 162	SNMP authentication and polling to SD-WAN WO devices.
SD-WAN WANOP Edition (SSL Acceleration Enabled)	SD-WAN WANOP Edition (SSL Acceleration Enabled)	TCP	443	SD-WAN WO Edition secure peering feature encrypts traffic between SD-WAN peers.

Citrix Virtual Apps and Desktops

Source	Destination	Type	Port	Details
Delivery Controller	Citrix Hypervisor Resource Pool Master	TCP	80, 443	Communication with Citrix Hypervisor infrastructure
	Microsoft SCVMM Server	TCP	8100	Communication with Hyper-V infrastructure
	VMware vCenter Server	TCP	443	Communication with vSphere infrastructure
	Microsoft SQL Server	TCP	1433	Microsoft SQL Server
		TCP	1434	Microsoft SQL Server. Note: Named instance connection requires UDP 1434
	Virtual Delivery Agent	TCP	80 (Bidirectional)	Delivery Controller initiates the connection when discovering local applications or for gathering information about local processes, performance data, and so on
		TCP	89	Local Host Cache (This use of port 89 might change in future releases.)
	Delivery Controller	TCP	80	Communication between Controllers.
		TCP	89	Local Host Cache (This use of port 89 might change in future releases.)
		TCP	9095	Orchestration service
Citrix Director and Admin Workstation	Virtual Delivery Agent	TCP	135, 3389	Communication between Citrix Director and Virtual Delivery Agent for Remote Assistance
		TCP	389	LDAP Note: For the logon step, Citrix Director does not contact the AD but does a local logon using the native Windows API– LogonUser (which might internally be contacting the AD).
Citrix Workspace app	StoreFront	TCP	80, 443	Communication with StoreFront
	Virtual Delivery Agent	TCP, UDP	2598	Access to applications and virtual desktops by ICA/HDX with Session Reliability. EDT protocol requires 2598 to be open for UDP.
		TCP, UDP	1494	Access to applications and virtual desktops by ICA/HDX. EDT protocol requires 1494 to be open for UDP.
		TCP	443	Access to applications and virtual desktops by ICA/HDX over SSL
		TCP	8008	Access to applications and virtual desktops by ICA/HDX from HTML5 Receiver
		UDP	16500..16509	Port range for UDP ICA/HDX audio
Virtual Delivery Agent	Delivery Controller	TCP	80 (Bidirectional)	Used by process WorkstationAgent.exe for communicating with Delivery Controller
Admin Workstation	Director Server	TCP	80, 443	Access to Citrix Director website
	Delivery Controller	TCP	80, 443	When using a locally installed Citrix Studio console or the SDK to directly access Delivery Controller
	Virtual Delivery Agent	TCP, UDP	Dynamically allocated high-port (49152..65535)	When initiating a Remote Assistance session from a Windows machine to a Virtual Delivery Agent
HdxVideo.js	Virtual Delivery Agent	TCP	9001	HTML5 video redirection and Browser Content Redirection secure WebSocket service needed to redirect HTTPS websites. WebSocketService.exe - Runs on the local system and performs SSL termination and user session mapping. TLS Secure WebSocket listening on 127.0.0.1 port 9001.

Read more about Citrix License Server requirements here.

Citrix App Layering

Refer to the following link for Citrix App Layering ports – Firewall Ports.

Federated Authentication Service

Source	Destination	Type	Port	Details
StoreFront	FAS Server	TCP	80	To send identity assertion of the user.
FAS Server	Microsoft Certificate Authority	TCP	135	Certificate Request.
	Domain Controller	TCP, UDP	389	Validate the user account before creating a certificate request
Microsoft Certificate Authority	FAS Server	TCP	135	Issue certificate to the certificate request from FAS Server.
Virtual Delivery Agent	FAS Server	TCP	80	Fetch the user certificate from the FAS Server.
	Domain Controller	TCP, UDP	389	Authentication of user during application or desktop launch

Note:

The Microsoft CA accepts communication using Kerberos authenticated DCOM, which can be configured to use a fixed TCP port. To learn more about it, see Federated Authentication Service certificate authority configuration.

Provisioning Services

Source	Destination	Type	Port	Details
Provisioning Server	Provisioning Server	UDP	6890..6909	Inter-server communication
	Microsoft SQL Server	TCP	1433	Communication with Microsoft SQL Server
	Domain Controller	TCP	389	Communication with Active Directory
Target Device	Broadcast/DHCPServer	UDP	66, 67	Only DHCP options: Obtaining network boot DHCP options 66-TFTP Server Name (Bootstrap Protocol Server) and 67-Boot file name (Bootstrap Protocol Client).
	Broadcast/PXEService	UDP	69	Trivial File Transfer (TFTP) for Bootstrap delivery
	TFTP Server	UDP	6910	Target Device login at Provisioning Services
	Provisioning Server	UDP	6910..6930	Virtual disk Streaming (Streaming Service) (configurable)
		UDP	6901, 6902, 6905	Target device to Citrix Provisioning communication (not configurable)
		UDP	6969, 2071	Only BDM: Two Stage Boot (BDM). Used in boot from ISO or USB scenarios only.
		TCP	54321..54323	SOAP Service – Used by Imaging Wizards
Admin Workstation	Provisioning Server	TCP	54321..54323	SOAP Service – Used by Console and APIs (MCLI, PowerShell, etc.)
	Delivery Controller	TCP	80	When using on-prem CVAD - used by Console wizards when creating Broker Catalogs
	CVAD Service	TCP	443	When using CVADS - used by Console wizards when creating Broker Catalogs

Universal Print Server

Source	Destination	Type	Port	Details
Virtual Delivery Agent	Universal Print Server	UDP	7229	Universal Print Server print data stream (CGP) port (configurable)
Virtual Delivery Agent	Universal Print Server	TCP	8080	Universal Print Server web service (HTTP/SOAP) port (configurable)

Remote PC Access

Source	Destination	Type	Port	Details
Admin Workstation	Virtual Delivery Agent	UDP	9	Wake On LAN for Remote PC Access power management
WOL Proxy	Virtual Delivery Agent	TCP	135	Wake Up Proxy for Remote PC Access power management

Note:

Remote PC Access is using the same Virtual Delivery Agent ports as regular virtual desktops

Session Recording

Source	Destination	Type	Port	Details
Virtual Delivery Agent	Session Recording Server	TCP	80, 443	Communication between Session Recording Agent installed on Virtual Delivery Agent to connect to the Session Recording Server. Default installation uses HTTPS/SSL to secure communications. If SSL is not configured, use HTTP.
Session Recording Policy Console	Session Recording Server	TCP	80, 443	Communication between server where the Session Recording Policy Console is installed and Session Recording Server
Session Recording Player	Session Recording Server	TCP	80, 443	Communication between the workstation where the Session Recording Player is installed and Session Recording Server.

StoreFront

Source	Destination	Type	Port	Details
User Device	StoreFront Server	TCP	80, 443	Connecting to the store hosted on StoreFront server
StoreFront Server	Domain Controller	TCP, UDP	389	LDAP connection to query user-friendly name and email addresses
		TCP, UDP	88	Kerberos
		TCP, UDP	464	Native Windows authentication protocol to allow users to change expired passwords
	StoreFront Server	TCP	Randomly selected unreserved port per service. Scroll down to the end of this table for configuration of firewalls when you place StoreFront in its own network.	Used for Peer-to-peer Services (Credential Wallet, Subscriptions Store (1 per Store). This service uses MS .Net NetPeerTcpBinding which negotiates a random port on each server between the peers. Only used for communication within the cluster.
		TCP	808	Used for Subscription Replication Services. Not installed by default. Used to replicate subscriptions between associated clusters
	Delivery Controller, XenMobile	TCP	80, 443	For application and desktop requests.
	Citrix ADC	TCP	8000	For Monitoring Service used by Citrix ADC load balancer.
StoreFront	Citrix Gateway	TCP	443	Callback URL to reach Citrix Gateway from StoreFront

Use the following information for configuration of firewalls when you place StoreFront in its own network:

1. Locate the config files:
   • C:\Program Files\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService\Citrix.DeliveryServices.SubscriptionsStore.ServiceHost.exe.config
   • C:\Program Files\Citrix\Receiver StoreFront\Services\CredentialWallet\Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe.config

2. Edit both the config files changing the values for endpoint URIs.

   For example - <endpoint uri="net.p2p://CitrixCredentialWalletReplication"> so any address that starts with net.p2p:// includes the port. You should end up with <endpoint uri="net.p2p://CitrixCredentialWalletReplication:93”> and <endpoint uri="net.p2p://Citrix-Subscriptions-1__Citrix_Store"> becomes <endpoint uri="net.p2p://Citrix-Subscriptions-1__Citrix_Store:93"> and so on for all other net.p2p addresses.

3. Restart the subscriptions store and credential wallet.
4. The local firewall includes rules for allowing per application access, so it is not locked down by port.

Workspace Environment Management

Source	Destination	Type	Port	Details
Infrastructure service	Agent host	TCP	49752	“Agent port”. Listening port on the agent host which receives instructions from the infrastructure service.
Administration console	Infrastructure service	TCP	8284	“Administration port”. Port on which the administration console connects to the infrastructure service.
Agent	Infrastructure service	TCP	8286	“Agent service port”. Port on which the agent connects to the infrastructure server.
Agent cache synchronization process	Infrastructure service	TCP	8285	“Cache synchronization port”. Applicable to Workspace Environment Management 1909 and earlier; replaced by Cached data synchronization port in Workspace Environment Management 1912 and later. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server.
		TCP	8288	“Cached data synchronization port”. Applicable to Workspace Environment Management 1912 and later; replaces Cache synchronization port of Workspace Environment Management 1909 and earlier. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server.
Monitoring service	Infrastructure service	TCP	8287	“WEM monitoring port”. Listening port on the infrastructure server used by the monitoring service. (Not yet implemented.)
Infrastructure service	Microsoft SQL Server	TCP	1433	To connect to WEM Database
	Citrix License Server	TCP	27000	“Citrix License Server port”. The port on which the Citrix License Server is listening and to which the infrastructure service then connects to validate licensing.
		TCP	7279	The port used by the dedicated Citrix component (daemon) in the Citrix License Server to validate licensing.

Read more about Citrix Workspace Environment Management requirements here.

Read more about Citrix License Server requirements here.