Product Documentation

Open firewall ports for App Layering, as needed

Jan 11, 2018

The App Layering appliance (aka the Enterprise Layer Manager (ELM)) must be connected to a network file share.

The App Layering installer opens ports that the appliance needs to interact with services on the virtual server where it is hosted. The default ports that App Layering uses are listed in the tables below.

If there is a firewall between the App Layering appliance and the machine on which you are running the App Layering Agent or one of the App Layering Connectors, you must manually open the port in the firewall used for that purpose. If during installation you changed any of the ports from the default setting, be sure to open the correct port.

Admin User

By default, App Layering uses the following ports in your firewall for the Admin User to interact with the Management Console on the App Layering appliance VM.

Destination Activity Protocol Ports

App Layering appliance (Enterprise Layer Manager (ELM))

Management Console

TCP

80,443

App Layering appliance

Administrator log download

TCP

8888

Connector for Azure

Communication

TCP

3000 (HTTP)

3500 (HTTPS)

Connector for PVS

Communication

TCP

3009 (HTTP)

3509 (HTTPS)

Connector for vSphere

Communication

TCP

3004 (HTTP)

3504 (HTTPS)

Connector for XenServer

Communication

TCP

3002 (HTTP)

3502 (HTTPS)

Connector for Azure

Communication

TCP

3000 (HTTP)

3500 (HTTPS)

App Layering appliance

ActiveMQ Console

TCP

8161

App Layering Appliance (Enterprise Layer Manager (ELM))

Internal Connections

By default, the App Layering service uses the following ports in your firewall for internal connections between the appliance and each of the destinations listed below.

In this table:

  • Appliance - The App Layering Appliance, also called the Enterprise Layer Manager, or ELM. This is the virtual appliance
  • Agent - refers to the App Layering Agent, which is required if you are:
    • Using PVS - The Agent must be installed on you PVS server(s).
    • Running Connector scripts - The Agent must be installed on any server on which you want to run a Connector script, for example, a server for your connection broker, provisioning service, hypervisor, or any other server running in your environment.
  • Admin User - A Management Console user who is assigned the App Layering Admin Role.
Source Destination Activity Protocol Ports

Agents

Appliance

Initial registration

TCP

443

Appliance

Agents

Communication

TCP

8016

Agents

Appliance

Log deliveries from the Agent

TCP

8787

Appliance

VMware vCenter and ESX Hosts

Communication with datastore via ESXI Host

TCP

443

Agent

Appliance

Agent communication with datastore

TCP

8888

Appliance

Active Dir

Communication with Active Directory

TCP

443

Agent

Appliance

Log gathering

TCP

14243

Appliance

Active Directory

LDAP

TCP

389, 636

Admin User

Appliance

Connector for Azure Communication

TCP

3000 (HTTP) 

3500 (HTTPS)

Agent on PVS server /Admin user

Appliance

Connector for PVS Communication /Publishing

TCP

3009 (HTTP) 

3509 (HTTPS)

Admin User

Appliance

Connector for vSphere Communication

TCP

3004 (HTTP)

3504 (HTTPS)

Admin User

Appliance

Connector for XenServer Communication

TCP

3002 (HTTP)

3502 (HTTPS)

Admin User

Appliance

Connector for Nutanix Communication

TCP

3006 (HTTP)

3506 (HTTPS)

External connection

By default, uses the following port in your firewall for external connections between the App Layering appliance and the destination listed below.

Destination Activity Protocol Ports

cdn.unidesk.com

API access

TCP

443

www.unidesk.com/upgrades/latest

Download upgrade media from Citrix Cloud

TCP

80

OS Image (XenServer requirement only)

Citrix XenServer uses Port 5900 for communications between your OS Image and XenCenter or other Xen client.

Destination Activity Protocol Ports

XenCenter

Communications

5900