Product Documentation

XenMobile Port Requirements

Oct 06, 2015

To enable devices and apps to communicate with each XenMobile component, you need to open specific ports in your firewalls. The following tables list the ports that must be open.

Opening Ports for NetScaler Gateway and App Controller

You must open the following ports to allow user connections from Worx Home, Citrix Receiver, and the NetScaler Gateway Plug-in through NetScaler Gateway to App Controller, StoreFront, XenDesktop, the XenMobile NetScaler Connector, and to other internal network resources, such as intranet web pages.

TCP port

Description

Source

Destination

21

Used to send support bundles to an FTP server.

App Controller

FTP server

22

Used to transfer logs from App Controller and a network server.

App Controller

Network server

53

Used for DNS connections.

NetScaler Gateway

DNS server

80

NetScaler Gateway passes the VPN connection to the internal network resource through the second firewall. This typically occurs if users log on with the NetScaler Gateway Plug-in.

NetScaler Gateway

Intranet websites

80 or 8080

XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication.

Citrix recommends using port 443.

StoreFront and Web Interface XML network traffic

NetScaler Gateway STA

XenDesktop or XenApp

443

443

Used for Callback URL.

App Controller

NetScaler Gateway

123

Used for Network Time Protocol (NTP) services.

NetScaler Gateway

NTP server

389

Used for insecure LDAP connections.

NetScaler Gateway

LDAP authentication server or Microsoft Active Directory

443

Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop.

Internet

NetScaler Gateway

Used for connections to App Controller for web, mobile, and SaaS application delivery.

Internet

NetScaler Gateway

514

Used for connections between App Controller and a syslog server.

App Controller

Syslog server

636

Used for secure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

1494

Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop

1812

Used for RADIUS connections.

NetScaler Gateway

RADIUS authentication server

2598

Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop

3268

Used for Microsoft Global Catalog insecure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

3269

Used for Microsoft Global Catalog secure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

4443 Used for accessing App Controller console by an administrator through the browser. Access point (browser) App Controller

9080

Used for HTTP traffic between NetScaler and the XenMobile NetScaler Connector.

NetScaler

XenMobile NetScaler Connector

9443

Used for HTTPS traffic between NetScaler and the XenMobile NetScaler Connector.

NetScaler

XenMobile NetScaler Connector

9736

Used for communication between two App Controller VMs when deployed as a high availability pair.

App Controller

App Controller

Opening Device Manager Ports

You must open the following ports to allow Device Manager to communicate in your network.

TCP port Description Source Destination

25

Default SMTP port for the Device Manager notification service. If your SMTP server uses a different port, ensure your firewall does not block that port.

Device Manager

SMTP server

80 or 443

Enterprise App Store connection to Apple iTunes App Store (ax.itunes.apple.com), Google Play, or Windows Phone Store. Used for publishing applications from the app stores through Citrix Mobile Self-Serve on iOS, Worx Home for Android, or Worx Home for Windows Phone.

Device Manager

Apple iTunes App Store (ax.itunes.apple.com)

Apple Volume Purchase Program (vpp.itunes.apple.com)

For Windows Phone: login.live.com and *.notify.windows.com

80 or 443

Used for outbound connections between Device Manager and Nexmo SMS Notification Relay.

Device Manager

Nexmo SMS Relay Server

389

Used for insecure LDAP connections.

Device Manager

LDAP authentication server or Active Directory

443

Used for enrollment and agent setup for Android and Windows Mobile.

Internet

Device Manager

Used for enrollment and agent setup for Android and Windows Mobile, the Device Manager web console, and MDM Remote Support Client.

Internal LAN and Wi-Fi

1433

Used for connections to a remote database server (optional).

Device Manager

SQL Server

2195

Used for Apple Push Notification service (APNs) outbound connections to gateway.push.apple.com for iOS device notifications and device policy push.

Device Manager

Internet (APNs hosts using the public IP address 17.0.0.0/8)

2196

Used for APNs outbound connections to feedback.push.apple.com for iOS device notification and device policy push.

5223

Used for APNs outbound connections from iOS devices on Wi-Fi networks to *.push.apple.com.

iOS devices on Wi-Fi networks

Internet (APNs hosts using the public IP address 17.0.0.0/8)

7279 &

27000

Crucial to prevent unintentionally upgrading users' devices to XenMobile Enterprise mode.

Device Manager

License Server

8443

Used for enrollment of iOS and Windows Phone devices.

Internet

Device Manager

LAN and Wi-Fi

Port Requirement for Auto Discovery Service Connectivity

This port configuration ensures that Android devices connecting from Worx Home for Android 10.2 can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note:   ADS connections might not work with your proxy server.  In this scenario, allow the ADS connection to bypass the proxy server.

Customers interested in enabling certificate pinning must do the following prerequisites:

  • Collect XenMobile Server and NetScaler certificates. The certificates need to be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

New certificate pinning improvements require devices to connect to the ADS before the device enrolls. This ensures that the latest security information is available to Worx Home for the environment in which the device is enrolling.  Worx Home will not enroll a device that cannot reach the ADS.  Therefore, opening up ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Worx Home 10.2 for Android, open port 443 for the following FQDN and IP addresses:

FQDN

IP address

discovery.mdm.zenprise.com

54.225.219.53

54.243.185.79

107.22.184.230

107.20.173.245

184.72.219.144

184.73.241.73

54.243.233.48

204.236.239.233

107.20.198.193