Port requirements

To enable devices and apps to communicate with XenMobile, you open specific ports in your firewalls. The following tables list the ports that must be open.

Open ports for NetScaler Gateway and XenMobile to manage apps

Open the following ports to allow user connections from Citrix Secure Hub, Citrix Receiver, and the NetScaler Gateway Plug-in through NetScaler Gateway to the following components:

  • XenMobile
  • StoreFront
  • XenDesktop
  • Citrix Gateway connector for Exchange ActiveSync
  • Other internal network resources, such as intranet websites

To enable traffic to Launch Darkly from NetScaler, you can use the IP addresses noted in this Support Knowledge Center article.

For more information about NetScaler Gateway, see the NetScaler Gateway documentation. That documentation includes information about NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP port Description Source Destination
21 or 22 Used to send support bundles to an FTP or SCP server. XenMobile FTP or SCP server
53 (TCP and UDP) Used for DNS connections. NetScaler Gateway, XenMobile DNS Server
80 NetScaler Gateway passes the VPN connection to the internal network resource through the second firewall. This situation typically occurs if users log on with the NetScaler Gateway Plug-in. NetScaler Gateway Intranet websites
80 or 8080; 443 XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. Citrix recommends using port 443. StoreFront and Web Interface XML network traffic; NetScaler Gateway STA XenDesktop or XenApp
123 (TCP and UDP) Used for Network Time Protocol (NTP) services. NetScaler Gateway; XenMobile NTP server
389 Used for insecure LDAP connections NetScaler Gateway; XenMobile LDAP authentication server or Microsoft Active Directory
443 Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop. Internet NetScaler Gateway
443 Used for connections to XenMobile for web, mobile, and SaaS app delivery. Internet NetScaler Gateway
443 Used for general device communication to XenMobile Server. XenMobile XenMobile
443 Used for connections from mobile devices to XenMobile for enrollment. Internet XenMobile
443 Used for connections from XenMobile to Citrix Gateway connector for Exchange ActiveSync. XenMobile Citrix Gateway connector for Exchange ActiveSync
443 Used for connections from Citrix Gateway connector for Exchange ActiveSync to XenMobile. Citrix Gateway connector for Exchange ActiveSync XenMobile
443 Used for Callback URL in deployments without certificate authentication. XenMobile NetScaler Gateway
514 Used for connections between XenMobile and a syslog server. XenMobile Syslog server
636 Used for secure LDAP connections. NetScaler Gateway; XenMobile LDAP authentication server or Active Directory
1494 Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open. NetScaler Gateway XenApp or XenDesktop
1812 Used for RADIUS connections. NetScaler Gateway RADIUS authentication server
2598 Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open. NetScaler Gateway XenApp or XenDesktop
3268 Used for Microsoft Global Catalog insecure LDAP connections. NetScaler Gateway; XenMobile LDAP authentication server or Active Directory
3269 Used for Microsoft Global Catalog secure LDAP connections. NetScaler Gateway; XenMobile LDAP authentication server or Active Directory
9080 Used for HTTP traffic between NetScaler and the Citrix Gateway connector for Exchange ActiveSync. NetScaler Citrix Gateway connector for Exchange ActiveSync
30001 Management API for initial staging of HTTPS service Internal LAN XenMobile Server
9443 Used for HTTPS traffic between NetScaler and the Citrix Gateway connector for Exchange ActiveSync. NetScaler Citrix Gateway connector for Exchange ActiveSync
45000; 80 Used for communication between two XenMobile VMs when deployed in a cluster. Port 80 is for internode communication and for SSL offload. XenMobile XenMobile
8443 Used for enrollment, XenMobile Store, and mobile app management (MAM). XenMobile; NetScaler Gateway; Devices; Internet XenMobile
4443 Used for accessing the XenMobile console by an administrator through the browser. Also used for downloading logs and support bundles for all XenMobile cluster nodes from one node. Access point (browser); XenMobile XenMobile
27000 Default port used for accessing the external Citrix License Server. XenMobile Citrix License Server
7279 Default port used for checking Citrix licenses in and out. XenMobile Citrix Vendor Daemon
161 Used for SNMP traffic using UDP protocol. SNMP Manager XenMobile
162 Used for sending SNMP trap alerts to SNMP manager from XenMobile. The source is XenMobile and the destination is the SNMP Manager. XenMobile SNMP Manager

Open XenMobile ports to manage devices

Open the following ports to allow XenMobile to communicate in your network.

TCP port Description Source Destination
25 Default SMTP port for the XenMobile notification service. If your SMTP server uses a different port, ensure that your firewall does not block that port. XenMobile SMTP server
80 and 443 Enterprise App Store connection to Apple iTunes App Store, Google Play (must use 80), or Windows Phone Store. Used for Apple Volume Purchase Program. Used for publishing apps from the app stores through Citrix Mobile Self-Serve on iOS, Secure Hub for Android, or Secure Hub for Windows Phone. XenMobile ax.itunes.apple.com and *.mzstatic.com; vpp.itunes.apple.com; login.live.com; *.notify.windows.com; play.google.com, android.clients.google.com, android.l.google.com
80 or 443 Used for outbound connections between XenMobile and Nexmo SMS Notification Relay. XenMobile Nexmo SMS Relay Server
389 Used for insecure LDAP connections. XenMobile LDAP authentication server or Active Directory
443 Used for enrollment and agent setup for Android and Windows Mobile. Internet XenMobile
443 Used for enrollment and agent setup for Android and Windows devices, the XenMobile web console, and MDM Remote Support Client. Internet LAN and Wi-Fi XenMobile
1433 Used by default for connections to a remote database server (optional). XenMobile SQL Server
2195 Used for Apple Push Notification service (APNs) outbound connections to gateway.push.apple.com for iOS device notifications and device policy push. XenMobile Internet (APNs hosts using the public IP address 17.0.0.0/8)
2196 Used for APNs outbound connections to feedback.push.apple.com for iOS device notification and device policy push.    
5223 Used for APNs outbound connections from iOS devices on Wi-Fi networks to *.push.apple.com. iOS devices on Wi-Fi networks Internet (APNs hosts using the public IP address 17.0.0.0/8)
8081 Used for app tunnels from the optional MDM Remote Support Client. Defaults to 8081. Remote Support Client XenMobile
8443 Used for enrollment of iOS and Windows Phone devices. Internet; LAN and Wi-Fi XenMobile

Port requirement for Auto Discovery Service connectivity

This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note:

ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, do the following prerequisites:

  • Collect XenMobile Server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening up ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:

FQDN IP address Port IP and port usage
ads.xm.cloud.com 34.194.83.188 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.193.202.23 443 Secure Hub - ADS Communication

Note:

For Secure Hub versions before 10.6.15, the FQDN is discovery.mdm.zenprise.com. Open port 443 for IP addresses 52.5.138.94 and 52.1.30.122.