To enable devices and apps to communicate with XenMobile, you open specific ports in your firewalls. The following tables list the ports that must be open.
Open ports for NetScaler Gateway and XenMobile to manage apps
Open the following ports to allow user connections from Citrix Secure Hub, Citrix Receiver, and the NetScaler Gateway plug-in through NetScaler Gateway to the following components:
- Citrix Virtual Apps and Desktops
- Citrix Gateway connector for Exchange ActiveSync
- Other internal network resources, such as intranet websites
To enable traffic to Launch Darkly from NetScaler, you can use the IP addresses noted in this Support Knowledge Center article.
For more information about NetScaler Gateway, see the NetScaler Gateway documentation. That documentation includes information about NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.
|21 or 22||Used to send support bundles to an FTP or SCP server.||XenMobile||FTP or SCP server|
|53 (TCP and UDP)||Used for DNS connections.||NetScaler Gateway, XenMobile||DNS Server|
|80||NetScaler Gateway passes the VPN connection to the internal network resource through the second firewall. This situation typically occurs if users log on with the NetScaler Gateway plug-in.||NetScaler Gateway||Intranet websites|
|80 or 8080; 443||XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. Citrix recommends using port 443.||StoreFront and Web Interface XML network traffic; NetScaler Gateway STA||Virtual Apps or Desktops|
|123 (TCP and UDP)||Used for Network Time Protocol (NTP) services.||NetScaler Gateway; XenMobile||NTP server|
|389||Used for insecure LDAP connections||NetScaler Gateway; XenMobile||LDAP authentication server or Microsoft Active Directory|
|443||Used for connections to StoreFront from Citrix Receiver or Receiver for Web to Virtual Apps and Desktops.||Internet||NetScaler Gateway|
|443||Used for connections to XenMobile for web, mobile, and SaaS app delivery.||Internet||NetScaler Gateway|
|443||Used for general device communication to XenMobile Server.||XenMobile||XenMobile|
|443||Used for connections from mobile devices to XenMobile for enrollment.||Internet||XenMobile|
|443||Used for connections from XenMobile to Citrix Gateway connector for Exchange ActiveSync.||XenMobile||Citrix Gateway connector for Exchange ActiveSync|
|443||Used for connections from Citrix Gateway connector for Exchange ActiveSync to XenMobile.||Citrix Gateway connector for Exchange ActiveSync||XenMobile|
|443||Used for Callback URL in deployments without certificate authentication.||XenMobile||NetScaler Gateway|
|514||Used for connections between XenMobile and a syslog server.||XenMobile||Syslog server|
|636||Used for secure LDAP connections.||NetScaler Gateway; XenMobile||LDAP authentication server or Active Directory|
|1494||Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.||NetScaler Gateway||Virtual Apps or Desktops|
|1812||Used for RADIUS connections.||NetScaler Gateway||RADIUS authentication server|
|2598||Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.||NetScaler Gateway||Virtual Apps or Desktops|
|3268||Used for Microsoft Global Catalog insecure LDAP connections.||NetScaler Gateway; XenMobile||LDAP authentication server or Active Directory|
|3269||Used for Microsoft Global Catalog secure LDAP connections.||NetScaler Gateway; XenMobile||LDAP authentication server or Active Directory|
|9080||Used for HTTP traffic between NetScaler and the Citrix Gateway connector for Exchange ActiveSync.||NetScaler||Citrix Gateway connector for Exchange ActiveSync|
|30001||Management API for initial staging of HTTPS service||Internal LAN||XenMobile Server|
|9443||Used for HTTPS traffic between NetScaler and the Citrix Gateway connector for Exchange ActiveSync.||NetScaler||Citrix Gateway connector for Exchange ActiveSync|
|45000; 80||Used for communication between two XenMobile VMs when deployed in a cluster. Port 80 is for internode communication and for SSL offload.||XenMobile||XenMobile|
|8443||Used for enrollment, XenMobile Store, and mobile app management (MAM).||XenMobile; NetScaler Gateway; Devices; Internet||XenMobile|
|4443||Used for accessing the XenMobile console by an administrator through the browser. Also used for downloading logs and support bundles for all XenMobile cluster nodes from one node.||Access point (browser); XenMobile||XenMobile|
|27000||Default port used for accessing the external Citrix License Server.||XenMobile||Citrix License Server|
|7279||Default port used for checking Citrix licenses in and out.||XenMobile||Citrix Vendor Daemon|
|161||Used for SNMP traffic using UDP protocol.||SNMP Manager||XenMobile|
|162||Used for sending SNMP trap alerts to SNMP manager from XenMobile. The source is XenMobile and the destination is the SNMP Manager.||XenMobile||SNMP Manager|
Open XenMobile ports to manage devices
Open the following ports to allow XenMobile to communicate in your network.
|25||Default SMTP port for the XenMobile notification service. If your SMTP server uses a different port, ensure that your firewall does not block that port.||XenMobile||SMTP server|
|80 and 443||Enterprise App Store connection to Apple iTunes App Store, Google Play (must use 80), or Windows Phone Store. Used for Apple Volume Purchase Program. Used for publishing apps from the app stores through Citrix Mobile Self-Serve on iOS, Secure Hub for Android, or Secure Hub for Windows Phone.||XenMobile||
|80 or 443||Used for outbound connections between XenMobile and Nexmo SMS Notification Relay.||XenMobile||Nexmo SMS Relay Server|
|389||Used for insecure LDAP connections.||XenMobile||LDAP authentication server or Active Directory|
|443||Used for enrollment and agent setup for Android and Windows Mobile.||Internet||XenMobile|
|443||Used for enrollment and agent setup for Android and Windows devices, the XenMobile web console, and MDM Remote Support Client.||Internet LAN and Wi-Fi||XenMobile|
|1433||Used by default for connections to a remote database server (optional).||XenMobile||SQL Server|
|2195||Used for Apple Push Notification service (APNs) outbound connections to
||XenMobile||Internet (APNs hosts using the public IP address 184.108.40.206/8)|
|2196||Used for APNs outbound connections to
|5223||Used for APNs outbound connections from iOS devices on Wi-Fi networks to
||iOS devices on Wi-Fi networks||Internet (APNs hosts using the public IP address 220.127.116.11/8)|
|8081||Used for app tunnels from the optional MDM Remote Support Client. Defaults to 8081.||Remote Support Client||XenMobile|
|8443||Used for enrollment of iOS and Windows Phone devices.||Internet; LAN and Wi-Fi||XenMobile|
Port requirement for autodiscovery service connectivity
This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Autodiscovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.
ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.
If you want to enable certificate pinning, do the following prerequisites:
- Collect XenMobile Server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
- Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.
Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening up ADS access within the internal network is critical to enabling devices to enroll.
To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:
|FQDN||IP address||Port||IP and port usage|
||18.104.22.168||443||Secure Hub - ADS Communication|
||22.214.171.124||443||Secure Hub - ADS Communication|
For Secure Hub versions before 10.6.15, the FQDN is
discovery.mdm.zenprise.com. Open port 443 for IP addresses 126.96.36.199 and 188.8.131.52.
Android Enterprise network requirements
There are some outbound connections to be aware of when setting up network environments for Android Enterprise.
Port requirements for the devices
|*.googleapis.com||TCP/443||Used for Google Mobile Management, Google APIs, Google Play store APIs|
|play.google.com, android.com google-analytics.com, android.clients.google.com||TCP/443||Used for Google Play and updates via android.clients.google.com. Download apps, updates, and Google Play store APIs|
|cm.googleapis.com||TCP/443||Used for Firebase Cloud Messaging|
|android.apis.google.com, cm.googleapis.com||TCP/5228, 5229, 5230||Used for Firebase Cloud Messaging outgoing, Internet communication for device wifi|
|connectivitycheck.android.com, www.google.com||TCP/443||Used for the connectivity check before CloudDPC v470. Android connectivity check starting with N MR1 requires
Port requirements for XenMobile
If an EMM console is located on-premises, the following destination hosts need to be reachable from the network to create a Managed Google Play Enterprise and to access the Managed Google Play iFrame. Google has made the Managed Play iFrame available to EMM developers to simplify search and approval of apps.
|play.google.com||TCP/443||Used for Google Play store, Play Enterprise sign-up|
|accounts.youtube.com, accounts.google.com||TCP/443||Used for the account authentication|
|apis.google.com||TCP/443||Used for GCM and other Google web services|
|ogs.google.com||TCP/443||Used for iFrame UI elements|
|notifications.google.com||TCP/443||Used for desktop and mobile notifications|
|fonts.googleapis.com, *.gstatic.com, *.googleusercontent.com||TCP/443||Used for Google Fonts user generated content. For example, the app icons in the store|
|cri.pki.goog, ocsp.pki.goog||TCP/443||Used for the certificate validation|