XenMobile Server

Port requirements

To enable devices and apps to communicate with XenMobile, you open specific ports in your firewalls. The following tables list the ports that must be open.

Open ports for Citrix Gateway and XenMobile to manage apps

Open the following ports to allow user connections from Citrix Secure Hub, Citrix Receiver, and the Citrix Gateway plug-in through Citrix Gateway to the following components:

  • XenMobile
  • StoreFront
  • Citrix Virtual Apps and Desktops
  • Citrix Gateway connector for Exchange ActiveSync
  • Other internal network resources, such as intranet websites

To enable traffic to Launch Darkly from Citrix ADC, you can use the IP addresses noted in this Support Knowledge Center article.

For more information about Citrix Gateway, see the Citrix Gateway documentation. That documentation includes information about Citrix ADC IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP port Description Source Destination
21 or 22 Used to send support bundles to an FTP or SCP server. XenMobile FTP or SCP server
53 (TCP and UDP) Used for DNS connections. Citrix Gateway, XenMobile DNS Server
80 Citrix Gateway passes the VPN connection to the internal network resource through the second firewall. This situation typically occurs if users log on with the Citrix Gateway plug-in. Citrix Gateway Intranet websites
80 or 8080; 443 XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. Citrix recommends using port 443. StoreFront and Web Interface XML network traffic; Citrix Gateway STA Virtual Apps or Desktops
123 (TCP and UDP) Used for Network Time Protocol (NTP) services. Citrix Gateway; XenMobile NTP server
389 Used for insecure LDAP connections Citrix Gateway; XenMobile LDAP authentication server or Microsoft Active Directory
443 Used for connections to StoreFront from Citrix Receiver or Receiver for Web to Virtual Apps and Desktops. Internet Citrix Gateway
443 Used for connections to XenMobile for web, mobile, and SaaS app delivery. Internet Citrix Gateway
443 Used for general device communication to XenMobile Server. XenMobile XenMobile
443 Used for connections from mobile devices to XenMobile for enrollment. Internet XenMobile
443 Used for connections from XenMobile to Citrix Gateway connector for Exchange ActiveSync. XenMobile Citrix Gateway connector for Exchange ActiveSync
443 Used for connections from Citrix Gateway connector for Exchange ActiveSync to XenMobile. Citrix Gateway connector for Exchange ActiveSync XenMobile
443 Used for Callback URL in deployments without certificate authentication. XenMobile Citrix Gateway
514 Used for connections between XenMobile and a syslog server. XenMobile Syslog server
636 Used for secure LDAP connections. Citrix Gateway; XenMobile LDAP authentication server or Active Directory
1494 Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open. Citrix Gateway Virtual Apps or Desktops
1812 Used for RADIUS connections. Citrix Gateway RADIUS authentication server
2598 Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open. Citrix Gateway Virtual Apps or Desktops
3268 Used for Microsoft Global Catalog insecure LDAP connections. Citrix Gateway; XenMobile LDAP authentication server or Active Directory
3269 Used for Microsoft Global Catalog secure LDAP connections. Citrix Gateway; XenMobile LDAP authentication server or Active Directory
9080 Used for HTTP traffic between Citrix ADC and the Citrix Gateway connector for Exchange ActiveSync. Citrix ADC Citrix Gateway connector for Exchange ActiveSync
30001 Management API for initial staging of HTTPS service Internal LAN XenMobile Server
9443 Used for HTTPS traffic between the Citrix ADC and the Citrix Gateway connector for Exchange ActiveSync. Citrix ADC Citrix Gateway connector for Exchange ActiveSync
45000; 80 Used for communication between two XenMobile VMs when deployed in a cluster. Port 80 is for internode communication and for SSL offload. XenMobile XenMobile
8443 Used for enrollment, XenMobile Store, and mobile app management (MAM). XenMobile; Citrix Gateway; Devices; Internet XenMobile
4443 Used for accessing the XenMobile console by an administrator through the browser. Also used for downloading logs and support bundles for all XenMobile cluster nodes from one node. Access point (browser); XenMobile XenMobile
27000 The default port used for accessing the external Citrix License Server. XenMobile Citrix License Server
7279 The default port used for checking Citrix licenses in and out. XenMobile Citrix Vendor Daemon
161 Used for SNMP traffic using the UDP protocol. SNMP Manager XenMobile
162 Used for sending SNMP trap alerts to the SNMP manager from XenMobile. The source is XenMobile and the destination is the SNMP Manager. XenMobile SNMP Manager

Open XenMobile ports to manage devices

Open the following ports to allow XenMobile to communicate in your network.

TCP port Description Source Destination
25 Default SMTP port for the XenMobile notification service. If your SMTP server uses a different port, make sure that your firewall does not block that port. XenMobile SMTP server
80 and 443 Enterprise App Store connection to Apple iTunes App Store or Google Play (must use 80). Used for Apple volume purchase. Used for publishing apps from the app stores from iOS or Secure Hub for Android. XenMobile ax.apps.apple.com and *.mzstatic.com; vpp.itunes.apple.com; login.live.com; *.notify.windows.com; play.google.com, android.clients.google.com, android.l.google.com
80 or 443 Used for outbound connections between XenMobile and Nexmo SMS Notification Relay. XenMobile Nexmo SMS Relay Server
389 Used for insecure LDAP connections. XenMobile LDAP authentication server or Active Directory
443 Used for enrollment and agent setup for Android. Internet XenMobile
443 Used for enrollment and agent setup for Android and Windows devices and the MDM Remote Support Client. Internet LAN and Wi-Fi XenMobile
1433 Used by default for connections to a remote database server (optional). XenMobile SQL Server
443 or 2197 Used to send APNs notifications to *.push.apple.com XenMobile Internet (APNs hosts using the public IP address 17.0.0.0/8
5223 Used for APNs outbound connections from iOS devices to *.push.apple.com. iOS devices Internet (APNs hosts using the public IP address 17.0.0.0/8)
8081 Used for app tunnels from the optional MDM Remote Support Client. Defaults to 8081. Remote Support Client XenMobile
8443 Used for enrollment of iOS devices. Internet; LAN and Wi-Fi XenMobile

Port requirement for AutoDiscovery service connectivity

This port configuration makes sure that Android devices connecting from Secure Hub for Android can access the Citrix AutoDiscovery Service (ADS) from within the internal network. You need access to the ADS to download security updates made available through the ADS.

Note:

ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, do the following prerequisites:

  • Collect XenMobile Server and Citrix ADC certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement makes sure that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. So, opening up ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android or iOS, open port 443 for the following FQDN:

FQDN Port IP and port usage
discovery.cem.cloud.us 443 Secure Hub - ADS Communication via CloudFront

For information on supported IP addresses, see Cloud-based storage centers from AWS.

Android Enterprise network requirements

For information about the outbound connections to consider when setting up network environments for Android Enterprise, see the Google support article, Android Enterprise Network Requirements.

Port requirements for XenMobile

The following destination hosts must be reachable from the network to create a Managed Google Play Enterprise and to access the ​Managed Google Play iFrame​. Google made the Managed Play iFrame available to EMM developers to simplify search and approval of apps. To use the Managed Play iFrame, the browser from which you access the XenMobile console must have access to Google Play.

Destination host Port Description
play.google.com TCP/443 Used for Google Play store, Play Enterprise sign-up
*.googleapis.com TCP/443 Used for Google Mobile Management, Google APIs, Google Play store APIs, FCM
accounts.youtube.com, accounts.google.com TCP/443 Used for the account authentication
apis.google.com TCP/443 Used for Google web services
ogs.google.com TCP/443 Used for iFrame UI elements
notifications.google.com TCP/443 Used for desktop and mobile notifications
fonts.googleapis.com, *.gstatic.com, *.googleusercontent.com TCP/443 Used for Google Fonts user generated content. For example, the app icons in the store
cri.pki.goog, ocsp.pki.goog TCP/443 Used for the certificate validation
Port requirements