Port requirements
To enable devices and apps to communicate with XenMobile, you open specific ports in your firewalls. The following tables list the ports that must be open.
Open ports for Citrix Gateway and XenMobile to manage apps
Open the following ports to allow user connections from Citrix Secure Hub, Citrix Receiver, and the Citrix Gateway plug-in through Citrix Gateway to the following components:
- XenMobile
- StoreFront
- Citrix Virtual Apps and Desktops
- Citrix Gateway connector for Exchange ActiveSync
- Other internal network resources, such as intranet websites
To enable traffic to Launch Darkly from Citrix ADC, you can use the IP addresses noted in this Support Knowledge Center article.
For more information about Citrix Gateway, see the Citrix Gateway documentation. That documentation includes information about Citrix ADC IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.
| TCP port | Description | Source | Destination |
|---|---|---|---|
| 21 or 22 | Used to send support bundles to an FTP or SCP server. | XenMobile | FTP or SCP server |
| 53 (TCP and UDP) | Used for DNS connections. | Citrix Gateway, XenMobile | DNS Server |
| 80 | Citrix Gateway passes the VPN connection to the internal network resource through the second firewall. This situation typically occurs if users log on with the Citrix Gateway plug-in. | Citrix Gateway | Intranet websites |
| 80 or 8080; 443 | XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. Citrix recommends using port 443. | StoreFront and Web Interface XML network traffic; Citrix Gateway STA | Virtual Apps or Desktops |
| 123 (TCP and UDP) | Used for Network Time Protocol (NTP) services. | Citrix Gateway; XenMobile | NTP server |
| 389 | Used for insecure LDAP connections | Citrix Gateway; XenMobile | LDAP authentication server or Microsoft Active Directory |
| 443 | Used for connections to StoreFront from Citrix Receiver or Receiver for Web to Virtual Apps and Desktops. | Internet | Citrix Gateway |
| 443 | Used for connections to XenMobile for web, mobile, and SaaS app delivery. | Internet | Citrix Gateway |
| 443 | Used for general device communication to XenMobile Server. | XenMobile | XenMobile |
| 443 | Used for connections from mobile devices to XenMobile for enrollment. | Internet | XenMobile |
| 443 | Used for connections from XenMobile to Citrix Gateway connector for Exchange ActiveSync. | XenMobile | Citrix Gateway connector for Exchange ActiveSync |
| 443 | Used for connections from Citrix Gateway connector for Exchange ActiveSync to XenMobile. | Citrix Gateway connector for Exchange ActiveSync | XenMobile |
| 443 | Used for Callback URL in deployments without certificate authentication. | XenMobile | Citrix Gateway |
| 514 | Used for connections between XenMobile and a syslog server. | XenMobile | Syslog server |
| 636 | Used for secure LDAP connections. | Citrix Gateway; XenMobile | LDAP authentication server or Active Directory |
| 1494 | Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open. | Citrix Gateway | Virtual Apps or Desktops |
| 1812 | Used for RADIUS connections. | Citrix Gateway | RADIUS authentication server |
| 2598 | Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open. | Citrix Gateway | Virtual Apps or Desktops |
| 3268 | Used for Microsoft Global Catalog insecure LDAP connections. | Citrix Gateway; XenMobile | LDAP authentication server or Active Directory |
| 3269 | Used for Microsoft Global Catalog secure LDAP connections. | Citrix Gateway; XenMobile | LDAP authentication server or Active Directory |
| 9080 | Used for HTTP traffic between Citrix ADC and the Citrix Gateway connector for Exchange ActiveSync. | Citrix ADC | Citrix Gateway connector for Exchange ActiveSync |
| 30001 | Management API for initial staging of HTTPS service | Internal LAN | XenMobile Server |
| 9443 | Used for HTTPS traffic between the Citrix ADC and the Citrix Gateway connector for Exchange ActiveSync. | Citrix ADC | Citrix Gateway connector for Exchange ActiveSync |
| 45000; 80 | Used for communication between two XenMobile VMs when deployed in a cluster. Port 80 is for internode communication and for SSL offload. | XenMobile | XenMobile |
| 8443 | Used for enrollment, XenMobile Store, and mobile app management (MAM). | XenMobile; Citrix Gateway; Devices; Internet | XenMobile |
| 4443 | Used for accessing the XenMobile console by an administrator through the browser. Also used for downloading logs and support bundles for all XenMobile cluster nodes from one node. | Access point (browser); XenMobile | XenMobile |
| 27000 | The default port used for accessing the external Citrix License Server. | XenMobile | Citrix License Server |
| 7279 | The default port used for checking Citrix licenses in and out. | XenMobile | Citrix Vendor Daemon |
| 161 | Used for SNMP traffic using the UDP protocol. | SNMP Manager | XenMobile |
| 162 | Used for sending SNMP trap alerts to the SNMP manager from XenMobile. The source is XenMobile and the destination is the SNMP Manager. | XenMobile | SNMP Manager |
Open XenMobile ports to manage devices
Open the following ports to allow XenMobile to communicate in your network.
| TCP port | Description | Source | Destination |
|---|---|---|---|
| 25 | Default SMTP port for the XenMobile notification service. If your SMTP server uses a different port, make sure that your firewall does not block that port. | XenMobile | SMTP server |
| 80 and 443 | Enterprise App Store connection to Apple iTunes App Store or Google Play (must use 80). Used for Apple volume purchase. Used for publishing apps from the app stores from iOS or Secure Hub for Android. | XenMobile |
ax.apps.apple.com and *.mzstatic.com; vpp.itunes.apple.com; login.live.com; *.notify.windows.com; play.google.com, android.clients.google.com, android.l.google.com
|
| 80 or 443 | Used for outbound connections between XenMobile and Nexmo SMS Notification Relay. | XenMobile | Nexmo SMS Relay Server |
| 389 | Used for insecure LDAP connections. | XenMobile | LDAP authentication server or Active Directory |
| 443 | Used for enrollment and agent setup for Android. | Internet | XenMobile |
| 443 | Used for enrollment and agent setup for Android and Windows devices and the MDM Remote Support Client. | Internet LAN and Wi-Fi | XenMobile |
| 1433 | Used by default for connections to a remote database server (optional). | XenMobile | SQL Server |
| 443 or 2197 | Used to send APNs notifications to *.push.apple.com
|
XenMobile | Internet (APNs hosts using the public IP address 17.0.0.0/8 |
| 5223 | Used for APNs outbound connections from iOS devices to *.push.apple.com. |
iOS devices | Internet (APNs hosts using the public IP address 17.0.0.0/8) |
| 8081 | Used for app tunnels from the optional MDM Remote Support Client. Defaults to 8081. | Remote Support Client | XenMobile |
| 8443 | Used for enrollment of iOS devices. | Internet; LAN and Wi-Fi | XenMobile |
Port requirement for AutoDiscovery service connectivity
This port configuration makes sure that Android devices connecting from Secure Hub for Android can access the Citrix AutoDiscovery Service (ADS) from within the internal network. You need access to the ADS to download security updates made available through the ADS.
Note:
ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.
If you want to enable certificate pinning, do the following prerequisites:
- Collect XenMobile Server and Citrix ADC certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
- Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.
Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement makes sure that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. So, opening up ADS access within the internal network is critical to enabling devices to enroll.
To allow access to the ADS for Secure Hub for Android or iOS, open port 443 for the following FQDN:
| FQDN | Port | IP and port usage |
|---|---|---|
discovery.cem.cloud.us |
443 | Secure Hub - ADS Communication via CloudFront |
For information on supported IP addresses, see Cloud-based storage centers from AWS.
Android Enterprise network requirements
For information about the outbound connections to consider when setting up network environments for Android Enterprise, see the Google support article, Android Enterprise Network Requirements.
Port requirements for XenMobile
The following destination hosts must be reachable from the network to create a Managed Google Play Enterprise and to access the Managed Google Play iFrame. Google made the Managed Play iFrame available to EMM developers to simplify search and approval of apps. To use the Managed Play iFrame, the browser from which you access the XenMobile console must have access to Google Play.
| Destination host | Port | Description |
|---|---|---|
play.google.com |
TCP/443 | Used for Google Play store, Play Enterprise sign-up |
*.googleapis.com |
TCP/443 | Used for Google Mobile Management, Google APIs, Google Play store APIs, FCM |
accounts.youtube.com, accounts.google.com
|
TCP/443 | Used for the account authentication |
apis.google.com |
TCP/443 | Used for Google web services |
ogs.google.com |
TCP/443 | Used for iFrame UI elements |
notifications.google.com |
TCP/443 | Used for desktop and mobile notifications |
fonts.googleapis.com, *.gstatic.com, *.googleusercontent.com
|
TCP/443 | Used for Google Fonts user generated content. For example, the app icons in the store |
cri.pki.goog, ocsp.pki.goog
|
TCP/443 | Used for the certificate validation |