Network communication between servers and client devices can be a security risk in any enterprise environment. In addition to physically securing servers, most organizations install network security measures including firewalls to isolate servers running XenApp and Web browsers from the Internet and publicly accessible networks. To deploy XenApp on internal networks, secure communications between the client and server by means of SSL/TLS or other security measures.
Part of securing your server farm is making sure that only properly authenticated users can access your servers and resources, which can include smart cards.
|Delivery Services Console/Access Management Console||135||Not configurable|
|Citrix SSL Relay||443||See Using the SSL Relay with the Microsoft Internet Information Server (IIS)|
|Citrix XML Service||80||See Installing and Configuring XenApp|
|Client-to-server (directed UDP)||1604||Not configurable|
|ICA sessions (clients to servers)||1494||See XenApp Command Reference for information about using the ICAPORT command|
|Citrix Vendor Daemon||7279||See Licensing Your Product|
|License Management Console||8082||See Licensing Your Product|
|Server to license server||27000||In the console, open the farm or server properties page, and select License Server|
|Server to Microsoft SQL Server or Oracle server||139, 1433, or 443 for MS-SQL||See the documentation for the database software|
|Server to server||2512||See XenApp Command Reference for information about using the IMAPORT command|
|Session reliability||2598||See Configuring Session Reliability|
A proxy server accepts connection requests from client devices and redirects those requests to the appropriate XenApp servers. Using a proxy server, much like using a firewall, gives you more control over access to the XenApp servers and provides a heightened level of security for your network. A proxy server, as opposed to a firewall, uses a different port from that used by the XenApp servers.
For information about using proxy servers with the XenApp plug-ins, see the Citrix online plug-in documentation.
If users log on using smart cards or pass-through authentication, you must set up a trust relationship between the server running the Web Interface and any server in the farm that the Web Interface accesses for published applications. Without the trust relationship, the Disconnect, Reconnect, and Log Off (“Workspace Control”) commands fail for those users logging on with smart card or pass-through authentication. For more information about Workspace Control, see Ensuring Session Continuity for Mobile Workers.
You do not need to set up a trust relationship if your users authenticate to the Web Interface or the Citrix online plug-in by typing in their credentials.
To set up the trust relationship, configure the Citrix Computer policy Trust XML requests setting. The Citrix XML Service communicates information about published applications among servers running the Web Interface and servers running XenApp.