Citrix Tech Zone
Tech Paper: Communication Ports Used by Citrix Technologies
This article provides an overview of common ports that are used by Citrix components and must be considered as part of networking architecture, especially if communication traffic traverses network components such as firewalls or proxy servers where ports must be opened to ensure communication flow.
Not all ports need to be open, depending on your deployment and requirements.
NetScaler SDX
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Admin Workstation | NetScaler SDX lights out management | TCP | 80, 443 | HTTP or HTTPS - GUI Administration |
| NetScaler SDX SVM | TCP | 80, 443 | HTTP or HTTPS - GUI and NITRO communication | |
| TCP | 22 | SSH/SCP Access | ||
| NetScaler SDX Hypervisor | TCP | 22 | SSH/SCP Access | |
| NetScaler SDX SVM | NetScaler instance | TCP | 80, 443 | HTTP or HTTPS - GUI and NITRO communication |
| TCP | 22 | SSH/SCP Access | ||
| ICMP | Using ICMP protocol to check instance availability | |||
| NTP Server | UDP | 123 | Default NTP server port for synchronizing with multiple time sources | |
| NetScaler NSIP | NetScaler SDX SVM | SNMP | 161, 162 | SNMP events/traps from ADC instances to SDX SVM |
| ICMP | Using ICMP protocol to check instance availability |
NetScaler
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| NetScaler NSIP | NetScaler Appliances in cluster setup | UDP | 7000 | Cluster heartbeat exchange |
| NetScaler Appliance (for High Availability) | UDP | 3003 | Exchange of hello packets for communicating UP/DOWN status (heartbeat) | |
| NetScaler Appliance (for High Availability) | TCP | 3008 | Secure High Availability configuration synchronization | |
| NetScaler Appliance (For Global Site Load Balancing) | TCP | 3009 | For secure MEP. | |
| NetScaler Appliance (for High Availability) | TCP | 3010 | Non-secure high availability configuration synchronization. | |
| NetScaler Appliance (For Global Site Load Balancing) | TCP | 3011 | For non-secure MEP. | |
| NetScaler ADM Appliance | UDP | 162 | Traps from ADC to NetScaler ADM Center | |
| NetScaler Appliance (for High Availability) | TCP | 22 | Used by the rsync process during file synchronization in high availability setup | |
| DNS Server | TCP, UDP | 53 | DNS name resolution | |
| NTP Server | UDP | 123 | Default NTP server port for synchronizing with multiple time sources | |
| Application Firewall signature URL | TCP | 443 | Hosted signature updates on AWS | |
| Bot Management signature URL | TCP | 443 | Hosted signature updates on AWS | |
| ADC lights out management | TCP | 4001, 5900, 623 | Daemon which offers complete and unified configuration management of all the routing protocols | |
| LDAP Server | TCP | 636 | LDAP SSL connection | |
| TCP | 3268 | LDAP connection to Global Catalog | ||
| TCP | 3269 | LDAP connection to Global Catalog over SSL | ||
| TCP | 389 | LDAP plaintext or TLS | ||
| RADIUS Server | UDP | 1813 | RADIUS accounting | |
| UDP | 1645, 1812 | RADIUS connection | ||
| Thales HSM | TCP | 9004 | RFS and Thales HSM | |
| NetScaler NSIP | NetScaler ADM | UDP | 4739 | For AppFlow communication |
| SNMP | 161, 162 | To send SNMP events/traps | ||
| Syslog | 514 | To receive syslog messages in NetScaler ADM | ||
| NetScaler SNIP | NetScaler ADM | TCP | 5563 | For ADC metrics (counters), system events, and Audit Log messages from NetScaler to NetScaler ADM. |
| TCP | 5557, 5558 | For logstream communication from NetScaler to NetScaler ADM. | ||
| Admin Workstation | NetScaler NSIP | TCP | 80, 443 | HTTP or HTTPS - GUI Administration |
| TCP | 22 | SSH Access |
Note:
Depending on the NetScaler configuration, network traffic can originate from SNIP, MIP, or NSIP interfaces. If you have configured NetScalers in High Availability mode, NetScaler ADM uses the NetScaler subnet IP (Management SNIP) address to communicate with NetScaler.
NetScaler ADM
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| NetScaler ADM | NetScaler NSIP or Citrix SD-WAN instance | TCP | 80, 443 | For NITRO communication |
| TCP | 22 | For SSH communication | ||
| ICMP | No reserved port | To detect network reachability between NetScaler ADM and ADC instances, SD-WAN instances, or the secondary NetScaler ADM server deployed in high availability mode. | ||
| NetScaler ADM | TCP | 22 | For synchronization between NetScaler ADM servers deployed in high availability mode. | |
| TCP | 5454 | Default port for communication, and database synchronization in between NetScaler ADM nodes in high availability mode. | ||
| Users | TCP | 25 | To send SMTP notifications from NetScaler ADM to users. | |
| LDAP external authentication server | TCP | 389, 636 | Default port for authentication protocol. For communication between NetScaler ADM and LDAP external authentication server. | |
| NTP Server | UDP | 123 | Default NTP server port for synchronizing with multiple time sources. | |
| RADIUS external authentication server | RADIUS | 1812 | Default port for authentication protocol. For communication between NetScaler ADM and RADIUS external authentication server. | |
| TACACS external authentication server | TACACS | 49 | Default port for authentication protocol. For communication between NetScaler ADM and TACACS external authentication server. | |
| NetScaler/CPX instance | NetScaler ADM license server/agent | TCP | 27000 | License port for communication between NetScaler ADM license server/agent and ADC/CPX instance. |
| TCP | 7279 | Citrix vendor daemon port. | ||
| Citirx ADM | UDP | 5005 | ||
| Port to exchange heartbeats between HA nodes. | ||||
| NetScaler SNIP | TCP | 161 | To send SNMP events | |
| NetScaler NSIP | NetScaler ADM | UDP | 162 | To receive SNMP traps from NetScaler |
| UDP | 4739 | To receive ADC analytics log data using IPFIX protocol | ||
| UDP | 514 | To receive syslog messages from NetScaler ADM | ||
| NetScaler SNIP | NetScaler ADM | TCP | 5563 | To receive ADC metrics (counters), system events, and Audit Log messages from NetScaler instance to NetScaler ADM |
| TCP | 5557, 5558 | For logstream communication (for Security Insight, Web Insight, and HDX Insight) from NetScaler | ||
| NetScaler ADM | NetScaler ADM Agent | TCP | 443, 7443, 8443 | Port for communication between NetScaler agent and NetScaler ADM |
Note:
If you have configured NetScalers in High Availability mode, NetScaler ADM uses the NetScaler subnet IP (Management SNIP) address to communicate with NetScaler.
CTX124386 describes how to change the source, to communicate syslog messages to ADM, from the NSIP to the SNIP
Citrix Cloud
The only Citrix component needed to serve as a channel for communication between Citrix Cloud and your resource locations is a connector. This connector might be a Connector Appliance or a Cloud Connector depending on your use case. For more information on which connector you require, see Resource types.
Connector Appliance
Once installed, the Connector Appliance initiates communication with Citrix Cloud through an outbound connection. All connections are established from the Connector Appliance to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are allowed.
This is a list of ports that the Connector Appliance requires access to:
| Service | Port | Supported Domain Protocol | Configuration details |
|---|---|---|---|
| DNS | 53 | TCP/UDP | This port must be open to the local setup |
| NTP | 123 | UDP | This port must be open to the local setup |
| HTTPS | 443 | TCP | Connector Appliance requires outbound access to this port |
To configure the Connector Appliance, IT admins must be able to access the admin interface on port 443 (HTTPS) of the Connector Appliance.
Note: You must include
https://at the start of the IP address.
Connector Appliance with Active Directory
Additional ports are required to use Active Directory with Connector Appliance. The Connector Appliance requires an outbound connection to the Active Directory domain via the following ports:
| Service | Port | Supported Domain Protocol |
|---|---|---|
| Kerberos | 88 | TCP/UDP |
| End Point Mapper (DCE/RPC Locator Service) | 135 | TCP |
| NetBIOS Name Service | 137 | UDP |
| NetBIOS Datagram | 138 | UDP |
| NetBIOS Session | 139 | TCP |
| LDAP | 389 | TCP/UDP |
| SMB over TCP | 445 | TCP |
| Kerberos kpasswd | 464 | TCP/UDP |
| Global Catalog | 3268 | TCP |
| Dynamic RPC Ports | 49152..65535 | TCP |
Cloud Connector
All connections are established from the Cloud Connector to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are accepted.
Cloud Connectors must be able to connect to Digicert for certificate revocation checks.
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Cloud Connectors | http://*.digicert.com |
HTTP | 80 | Periodic Certificate Revocation List checks |
https://*.digicert.com |
HTTPS | 443 | ||
https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt |
HTTPS | 443 | ||
https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt |
HTTPS | 443 |
To find the list of addresses that are common to most Citrix Cloud services and their function, refer to product documentation.
Citrix DaaS
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Virtual Delivery Agent | Gateway Service | TCP, UDP | 443 | Rendezvous Protocol. |
| Cloud Connectors | Cloud Connectors | TCP | 80 | Communication between Delivery Controllers secured via WCF. |
| TCP | 89 | Local Host Cache secured via WCF. | ||
| TCP | 9095 | Orchestration service secured via WCF. | ||
| Cloud Connectors | XenServer Resource Pool Master | TCP | 80, 443 | Communication with XenServer infrastructure. |
| Microsoft SCVMM Server | TCP | 8100 | Communication with Microsoft SCVMM/Hyper-V infrastructure. | |
| VMware vCenter Server | TCP | 443 | Communication with VMware vSphere infrastructure. | |
| Nutanix AHV | TCP | 9440 | Communication with Nutanix AHV infrastructure. | |
| Cloud Connectors | Virtual Delivery Agent | TCP, UDP | 1494 | Access to applications and virtual desktops by ICA/HDX. EDT protocol requires 1494 to be open for UDP. |
| TCP | 80 | Citrix VDA Registration with the Citrix Cloud Connector secured via WCF. Communication must be bi-directional. | ||
| TCP, UDP | 2598 | Access to applications and virtual desktops by ICA/HDX with Session Reliability. EDT protocol requires 2598 to be open for UDP. | ||
| Cloud Connectors | WEM Agent | TCP | 49752 | “Agent port”. Listening port on the agent host that receives instructions from Cloud Connector secured via WCF. |
| Cloud Connectors | File Server | TCP | 139,445 | Access to VDI acting as File server CSV mount points. |
| Cloud Connectors | Citrix FAS Server | TCP | 80 | Send identity assertion of the user secured via WCF. |
| Citrix Provisioning Server Console | Cloud Connectors | HTTPS | 443 | Provisioning Server integration with Citrix Cloud Studio. |
| Citrix License Server | Citrix Cloud | HTTPS | 443 | Citrix License Server integration with Citrix Cloud. |
| Citrix FAS Server | Citrix Cloud | HTTPS | 443 | Connection betweeen Citrix FAS and Citrix Cloud. |
| Citrix DaaS Remote PowerShell SDK | Citrix Cloud | HTTPS | 443 | Any system running scripts based on the Citrix DaaS Remote PowerShell SDK. |
| Citrix Workspace App | Virtual Delivery Agent | TCP,UDP | 1494 | Access to applications and virtual desktops by ICA/HDX for Direct Workload Connection which bypasses Citrx Gateway Service for internal traffic. |
| TCP,UDP | 2598 | Access to applications and virtual desktops by ICA/HDX with Session Reliability for Direct Workload Connection which bypasses Citrx Gateway Service for internal traffic. | ||
| WEM Agent | Cloud Connectors | TCP | 8080 | Port on which the on-premises agent connects to Cloud Connector. This port is available for outbound LAN (Local Area Network) connections. Messages over the port are secured with Windows Communication Foundation (WCF) message-level security. |
| Citrix WEM Service | HTTPS | 443 | Port on which the on-premises agent connects to the WEM service in Citrix Cloud. This port is available for outbound internet connections. |
Read more about Citrix License Server integration here.
Read more about Citrix Provisioning Server integration here.
Read more about the Citrix DaaS Remote PowerShell SDK here
Citrix Gateway Service
By default, the Gateway Service will proxy HDX connections via the Citrix Cloud Connectors, however Rendezvous Protocol changes the flow of HDX connections in an attempt to directly connect the Virtual Delivery Agent to the Gateway Service bypassing the Citrix Cloud Connectors
Rendezvous Protocol and HDX Enlightened Data Transport Protocol (EDT)
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Virtual Delivery Agent | Gateway Service | UDP | 443 | EDT UDP over 443 to Gateway Service |
The Virtual Delivery Agents must have access to https://*.nssvc.net, including all subdomains. Or https://*.c.nssvc.net and https://*.g.nssvc.net.
Note:
If using EDT in Microsoft Azure, UDP must be defined on the Azure Network Security Group (NSG) protecting the Virtual Delivery Agent
Read more about Rendezvous Protocol and HDX Enlightened Data Transport Protocol (EDT) requirements here.
Citrix Session Recording Service
Refer to the following link for Citrix Session Recording Service ports - Connectivity Requirements
Citrix Endpoint Management
Refer to the following link for Citrix Endpoint Management (XenMobile) Ports - Port Requirements.
Citrix Gateway
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Citrix Gateway SNIP | LDAP Server (Load Balancing) | TCP | 636 | LDAPS SSL connection |
| TCP | 3268 | LDAP connection to Global Catalog | ||
| TCP | 3269 | LDAP connection to Global Catalog over SSL | ||
| TCP | 389 | LDAP plaintext or TLS | ||
| RADIUS Server (Load Balancing) | UDP | 1813 | RADIUS accounting | |
| UDP | 1645, 1812 | RADIUS connection | ||
| Secure Ticketing Authority (STA) | TCP | 80, 8080, 443 | Secure Ticketing Authority (embedded into XML Service) | |
| Virtual Delivery Agent | TCP, UDP | 1494 | Access to applications and virtual desktops by ICA/HDX. EDT protocol requires 1494 to be open for UDP. | |
| TCP, UDP | 2598 | Access to applications and virtual desktops by ICA/HDX with Session Reliability. EDT protocol requires 2598 to be open for UDP. | ||
| TCP, UDP | 443 | Access to applications and virtual desktops by ICA/HDX over TLS/DTLS. | ||
| UDP | 16500..16509 | ICA/HDX audio over UDP Real-time Transport | ||
| StoreFront | TCP | 80, 443 | Citrix Gateway communication with StoreFront | |
| Citrix Gateway Plug-in | VPN/CVAD | UDP | 3108, 3168, 3188 | For VPN tunnel with secure ICA connections |
| TCP, UDP | 3148, 3149, 3159 | For VPN tunnel with secure ICA connections | ||
| Admin Workstation | Citrix Gateway | TCP | 80, 443 | HTTPS - GUI Administration |
| TCP | 22 | SSH Access | ||
| Citrix Gateway | DNS | TCP, UDP | 53 | Communication with the DNS server |
For more information about required ports for Citrix Gateway in DMZ setup, refer to CTX113250.
Note:
All the above ports are not mandatory, depending on your own configuration.
Citrix Hypervisor
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Citrix Hypervisor | Citrix Hypervisor | TCP | 443 | Intra-host communication between members of a resource pool using XenAPI |
| NTP Service | TCP, UDP | 123 | Time Synchronization | |
| DNS Service Domain Controller | TCP, UDP TCP | 53, 389 | DNS User authentication when using Active Directory integration (LDAP) | |
| TCP | 636 | LDAP over SSL (LDAPS) | ||
| FileServer | TCP, UDP | 139 | ISOStore:NetBIOSSessionService | |
| TCP, UDP | 445 | ISOStore:Microsoft-DS | ||
| SAN Controller | TCP | 3260 | iSCSI Storage | |
| NAS Head/ File Server | TCP | 2049 | NFS Storage | |
| Syslog | TCP | 514 | Sends data to a central location for collation | |
| Clustering | TCP | 8892, 21064 | Communication between all pool members in a clustered pool. | |
| UDP | 5404, 5405 | |||
| Admin Workstation (XenCenter) | Citrix Hypervisor | TCP | 22 | SSH |
| TCP | 443 | Management using XenAPI | ||
| Virtual Machine | TCP | 5900 | VNC for Linux Guests | |
| TCP | 3389 | RDP for WindowsGuests |
Read more about Citrix License Server requirements here.
Note:
If FQDN is used instead of IP as resource, then make sure it is resolvable.
Citrix License Server
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Any Citrix Component | Citrix License Server | TCP | 27000 | Handles initial point of contact for license requests |
| TCP | 7279 | Check-in/check-out of Citrix licenses | ||
| Delivery Controller | Citrix License Server | TCP | 8082 | Web-based administration console (Lmadmin.exe) |
| TCP | 8083 | Simple License Service port (required for CVAD) | ||
| Admin Workstation | Citrix License Server | TCP | 8082 | Web-based administration console (Lmadmin.exe) |
| TCP | 8083 | Simple License Service port (required for CVAD) | ||
| TCP | 80 | Licensing Config PowerShell Snap-in Service | ||
| Citrix License Server | https://cis.citrix.com |
HTTPS | 443 | Citrix License automated license telemetry reporting |
Citrix SD-WAN
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| SD-WAN Standard and Enterprise Edition | SD-WAN Standard and Enterprise Edition | UDP | 4980 | Static Virtual Path and Dynamic Virtual Path tunnels between SD-WAN SE/EE devices. |
| SD-WAN Center | TCP | 2156 | Reporting communication between SD-WAN Center and SD-WAN SE/EE devices. | |
| Citrix Cloud Zero Touch Deployment Service | TCP | 443 | Authentication communication between SD-WAN devices and Citrix Cloud Services. | |
| RADIUS | TCP | 1812 | Default port for authentication protocol. For communication between SD-WAN SE/EE and RADIUS external authentication server. | |
| TACACS+ | TACACS | 49 | Default port for authentication protocol. For communication between SD-WAN SE/EE and TACACS external authentication server. | |
| SNMP | UDP | 161, 162 | SNMP authentication and polling to SD-WAN SE/EE devices. | |
| NetFlow | UDP | 2055 | NetFlow polling to SD-WAN SE/EE devices. | |
| AppFlow (NetScaler ADM) | TCP | 4739 | For AppFlow communication between NetScaler ADM and SD-WAN SE/EE devices. | |
| API | TCP | 80, 443 | For NITRO API communication to SD-WAN SE/EE devices. | |
| SD-WAN Center | Citrix Cloud Zero Touch Deployment Service | TCP | 443 | Authentication communication between SD-WAN devices and Citrix Cloud Services. |
| SD-WAN WANOP Edition | SD-WAN WANOP Edition | TCP | N/A | SD-WAN WO Edition transparently optimizes TCP traffic between two sites. The original source destination and port go unchanged throughout the segments of the network. |
| API (NetScaler ADM) | TCP | 80, 443 | For NITRO API communication between NetScaler ADM and SD-WAN WANOP devices. | |
| SSH (NetScaler ADM) | TCP | 22 | For SSH communication between NetScaler ADM and SD-WAN WANOP devices. | |
| AppFlow (NetScaler ADM) | TCP | 4739 | For AppFlow communication between NetScaler ADM and SD-WAN WANOP devices. | |
| NetScaler ADM | ICMP | N/A | For network reachability between NetScaler ADM and SD-WAN WANOP devices. | |
| RADIUS | TCP | 1812 | Default port for authentication protocol. For communication between SD-WAN WO and RADIUS external authentication server. | |
| TACACS+ | TACACS | 49 | Default port for authentication protocol. For communication between SD-WAN WO and TACACS external authentication server. | |
| SNMP | UDP | 161, 162 | SNMP authentication and polling to SD-WAN WO devices. | |
| SD-WAN WANOP Edition (SSL Acceleration Enabled) | SD-WAN WANOP Edition (SSL Acceleration Enabled) | TCP | 443 | SD-WAN WO Edition secure peering feature encrypts traffic between SD-WAN peers. |
| Citrix Orchestrator On-Premises | 9.9.9.9 | UDP/TCP | 53 | DNS resolution of pertinent cloud service domains |
| SD-WAN Standard and Enterprise Edition | TCP | 443 | Communication between Orchestrator On-Premises and SD-WAN SE/EE devices | |
| Citrix Cloud | TCP | 443 | Authentication communication with Citrix Cloud services | |
| SD-WAN Standard and Enterprise Edition | SSH | 22 | Communication between Orchestrator On-Premises and SD-WAN SE/EE devices |
Citrix Virtual Apps and Desktops
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Delivery Controller | XenServer Resource Pool Master | TCP | 80, 443 | Communication with XenServer infrastructure |
| Microsoft SCVMM Server | TCP | 8100 | Communication with Hyper-V infrastructure | |
| VMware vCenter Server | TCP | 443 | Communication with vSphere infrastructure | |
| Nutanix AHV | TCP | 9440 | Communication with Nutanix AHV infrastructure | |
| Microsoft SQL Server | TCP | 1433 | Microsoft SQL Server | |
| Virtual Delivery Agent | TCP | 80 (Bidirectional) | Delivery Controller initiates the connection when discovering local applications or for gathering information about local processes, performance data, and so on. | |
| Delivery Controller | TCP | 80 | Communication between Delivery Controllers | |
| TCP | 89 | Local Host Cache (This use of port 89 may change in future releases.) | ||
| TCP | 9095 | Orchestration service | ||
| Director | Delivery Controller | TCP | 80, 443 | Communication with Citrix Delivery Controllers |
| Citrix Director and Admin Workstation | Virtual Delivery Agent | TCP | 135,3389 | Communication between Citrix Director and Virtual Delivery Agent for Remote Assistance |
| TCP | 389 | LDAP Note: For the login step, Citrix Director does not contact the AD but does a local logon using the native Windows API - LoginUser (which might internally be contacting the AD). | ||
| Citrix Workspace app | StoreFront | TCP, UDP | 80,443 | Communication with StoreFront |
| Virtual Delivery Agent | TCP, UDP | 1494 | Access to applications and virtual desktops by ICA/HDX for Direct Workload Connection which bypasses Citrx Gateway Service for internal traffic. | |
| Virtual Delivery Agent | TCP, UDP | 2598 | Access to applications and virtual desktops by ICA/HDX with Session Reliability for Direct Workload Connection which bypasses Citrx Gateway Service for internal traffic. | |
| UDP | 16500..16509 | Port range for UDP ICA/HDX audio | ||
| Virtual Delivery Agent | Delivery Controller | TCP | 80 (Bidirectional) | Used by process ‘WorkstationAgent.exe’ for communication with Delivery Controller. |
| Admin Workstation | Director Server | TCP | 80, 443 | Access to Citrix Director website |
| Delivery Controller | TCP | 80, 443 | When using a locally installed Citrix Studio console or the SDK to directly access Delivery Controller. | |
| Virtual Delivery Agent | TCP, UDP | 49152..65535 | Dynamically allocated high-port when initiating a Remote Assistance session from a Windows machine to a Virtual Delivery Agent. | |
| HdxVideo.js | Virtual Delivery Agent | TCP | 9001 | HTML5 video redirection and Browser Content Redirection secure WebSocket service needed to redirect HTTPS websites. WebSocketService.exe - runs on the local system and performs SSL termination and user session mapping. TLS Secure WebSocket listening on 127.0.0.1 port 9001. |
Read more about Citrix License Server requirements here.
Citrix App Layering
Refer to the following link for Citrix App Layering ports - Firewall Ports.
Federated Authentication Service
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| StoreFront | FAS Server | TCP | 80 | To send identity assertion of the user. |
| FAS Server | Microsoft Certificate Authority | DCOM | 135 | By default the Microsoft CA uses DCOM for access. This can result in complexities when implementing firewall security, so Microsoft has a provision to switch to a static TCP port. See Configure MS CA DCOM for more information. |
| Virtual Delivery Agent | FAS Server | TCP | 80 | Fetch the user certificate from the FAS Server. |
Provisioning Services
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Provisioning Server | Provisioning Server | UDP | 6890..6909 | Inter-server communication |
| Microsoft SQL Server | TCP | 1433 | Communication with Microsoft SQL Server | |
| Citrix License Server | TCP | 27000 | “Citrix License Server port”. The port on which the Citrix License Server is listening and to which the infrastructure service then connects to validate licensing. | |
| TCP | 7279 | The port used by the dedicated Citrix component (daemon) in the Citrix License Server to validate licensing. | ||
| Domain Controller | TCP | 389 | Communication with Active Directory | |
| Target Device | UDP | 6901, 6902, 6905 | Target device to Citrix Provisioning communication (not configurable) | |
| Citrix Hypervisor | TCP | 80, 443 | Communication with Citrix Hypervisor infrastructure | |
| VMware vCenter Server | TCP | 443 | Communication with vSphere infrastructure | |
| Microsoft Hyper-V | TCP | 8100 | Communication with Hyper-V infrastructure | |
| Microsoft Azure | TCP | 443 | Communication with Azure infrastructure | |
| Google Cloud Platform | TCP | 443 | Communication with Google Cloud infrastructure | |
| Target Device | Broadcast/DHCPServer | UDP | 66, 67 | Only DHCP options: Obtaining network boot DHCP options 66-TFTP Server Name (Bootstrap Protocol Server) and 67-Boot file name (Bootstrap Protocol Client). |
| Broadcast/PXEService | UDP | 69 | Trivial File Transfer (TFTP) for Bootstrap delivery | |
| TFTP Server | UDP | 6910 | Target Device login at Provisioning Services | |
| Provisioning Server | UDP | 6910..6930 | Virtual disk Streaming (Streaming Service) (configurable) | |
| UDP | 6901, 6902, 6905 | Target device to Citrix Provisioning communication (not configurable) | ||
| UDP | 6969, 2071 | Only BDM: Two Stage Boot (BDM). Used in boot from ISO or USB scenarios only. | ||
| TCP | 54321..54323 | SOAP Service - Used by Imaging Wizards | ||
| Admin Workstation | Provisioning Server | TCP | 54321..54323 | SOAP Service - Used by Console and APIs (MCLI, PowerShell, etc.) |
| Delivery Controller | TCP | 80 | When using on-prem CVAD - used by Console wizards when creating Broker Catalogs | |
| CVAD Service | TCP | 443 | When using CVADS - used by Console wizards when creating Broker Catalogs |
Universal Print Server
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Virtual Delivery Agent | Universal Print Server | UDP | 7229 | Universal Print Server print data stream (CGP) port (configurable) |
| Virtual Delivery Agent | Universal Print Server | TCP | 8080 | Universal Print Server web service (HTTP/SOAP) port (configurable) |
Remote PC Access
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Admin Workstation | Virtual Delivery Agent | UDP | 9 | Wake on LAN for Remote PC Access power management |
| WOL Proxy | Virtual Delivery Agent | TCP | 135 | Wake Up Proxy for Remote PC Access power management |
Note:
Remote PC Access is using the same Virtual Delivery Agent ports as regular virtual desktops
Session Recording
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Virtual Delivery Agent | Session Recording Server | TCP | 80, 443 | Communication between Session Recording Agent installed on Virtual Delivery Agent to connect to the Session Recording Server. Default installation uses HTTPS/SSL to secure communications. If SSL is not configured, use HTTP. |
| Session Recording Policy Console | Session Recording Server | TCP | 80, 443 | Communication between server where the Session Recording Policy Console is installed and Session Recording Server |
| Session Recording Player | Session Recording Server | TCP | 80, 443 | Communication between the workstation where the Session Recording Player is installed and Session Recording Server. |
StoreFront
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| User Device | StoreFront Server | TCP | 80, 443 | Connecting to the store hosted on StoreFront server |
| StoreFront Server | Domain Controller | TCP, UDP | 389 | LDAP connection to query user-friendly name and email addresses |
| TCP, UDP | 88 | Kerberos | ||
| TCP, UDP | 464 | Native Windows authentication protocol to allow users to change expired passwords | ||
| StoreFront Server | TCP | Randomly selected unreserved port per service. Scroll down to the end of this table for configuration of firewalls when you place StoreFront in its own network. | Used for Peer-to-peer Services (Credential Wallet, Subscriptions Store (1 per Store). This service uses MS .Net NetPeerTcpBinding which negotiates a random port on each server between the peers. Only used for communication within the cluster. | |
| TCP | 808 | Used for Subscription Replication Services. Not installed by default. Used to replicate subscriptions between associated clusters | ||
| Delivery Controller, XenMobile | TCP | 80, 443 | For application and desktop requests. | |
| NetScaler | TCP | 8000 | For Monitoring Service used by NetScaler load balancer. | |
| StoreFront | Citrix Gateway | TCP | 443 | Callback URL to reach Citrix Gateway from StoreFront |
Use the following information for configuration of firewalls when you place StoreFront in its own network:
- Locate the config files:
C:\Program Files\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService\Citrix.DeliveryServices.SubscriptionsStore.ServiceHost.exe.configC:\Program Files\Citrix\Receiver StoreFront\Services\CredentialWallet\Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe.config
-
Edit both the config files changing the values for endpoint URIs.
For example -
<endpoint uri="net.p2p://CitrixCredentialWalletReplication">so any address that starts withnet.p2p://includes the port. You should end up with<endpoint uri="net.p2p://CitrixCredentialWalletReplication:93">and<endpoint uri="net.p2p://Citrix-Subscriptions-1__Citrix_Store">becomes<endpoint uri="net.p2p://Citrix-Subscriptions-1__Citrix_Store:93">and so on for all other net.p2p addresses. - Restart the subscriptions store and credential wallet.
- The local firewall includes rules for allowing per application access, so it is not locked down by port.
Workspace Environment Management
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Infrastructure service | Agent host | TCP | 49752 | “Agent port”. Listening port on the agent host which receives instructions from the infrastructure service. |
| Administration console | Infrastructure service | TCP | 8284 | “Administration port”. Port on which the administration console connects to the infrastructure service. |
| Agent | Infrastructure service | TCP | 8286 | “Agent service port”. Port on which the agent connects to the infrastructure server. |
| Agent cache synchronization process | Infrastructure service | TCP | 8285 | “Cache synchronization port”. Applicable to Workspace Environment Management 1909 and earlier; replaced by Cached data synchronization port in Workspace Environment Management 1912 and later. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. |
| TCP | 8288 | “Cached data synchronization port”. Applicable to Workspace Environment Management 1912 and later; replaces Cache synchronization port of Workspace Environment Management 1909 and earlier. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. | ||
| Monitoring service | Infrastructure service | TCP | 8287 | “WEM monitoring port”. Listening port on the infrastructure server used by the monitoring service. (Not yet implemented.) |
| Infrastructure service | Microsoft SQL Server | TCP | 1433 | To connect to WEM Database |
| Citrix License Server | TCP | 27000 | “Citrix License Server port”. The port on which the Citrix License Server is listening and to which the infrastructure service then connects to validate licensing. | |
| TCP | 7279 | The port used by the dedicated Citrix component (daemon) in the Citrix License Server to validate licensing. |
Read more about Citrix Workspace Environment Management requirements here.
Read more about Citrix License Server requirements here.
CSV File
We would like to provide you with a csv file of the Citrix Communication Ports that you can use for your own needs.
Tech Paper: Communication Ports Used by Citrix Technologies
Copied!
Failed!