Product Documentation

Port Requirements

Feb 10, 2016

To enable devices and apps to communicate with XenMobile, you need to open specific ports in your firewalls. The following tables list the ports that must be open.

Opening Ports for NetScaler Gateway and XenMobile to Manage Apps

You must open the following ports to allow user connections from Worx Home, Citrix Receiver, and the NetScaler Gateway Plug-in through NetScaler Gateway to XenMobile, StoreFront, XenDesktop, the XenMobile NetScaler Connector, and to other internal network resources, such as intranet websites.

Ports in the following table are TCP unless noted otherwise.

Port
Description     
Source Destination
21 or 22  Used to send support bundles to an FTP or SCP server.   
XenMobile   
FTP or SCP server
53 (UDP) Used for DNS connections.      
NetScaler Gateway
XenMobile
DNS server
80         
NetScaler Gateway passes the VPN connection to the internal network resource through the second firewall. This typically occurs if users log on with the NetScaler Gateway Plug-in.
NetScaler Gateway Intranet websites

80 or 8080

443

XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication.

Citrix recommends using port 443.

StoreFront and Web Interface XML network traffic

NetScaler Gateway STA

XenDesktop or XenApp
123           
Used for Network Time Protocol (NTP) services. NetScaler Gateway NTP server
389           
Used for insecure LDAP connections.

NetScaler Gateway

XenMobile

LDAP authentication server or Microsoft Active Directory
443      
      
   
Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop.
Internet NetScaler Gateway
Used for connections to XenMobile for web, mobile, and SaaS app delivery. Internet NetScaler Gateway
Used for Callback URL. XenMobile NetScaler Gateway
514       
Used for connections between XenMobile and a syslog server. XenMobile
 Syslog server
636           
Used for secure LDAP connections.

NetScaler Gateway

XenMobile

LDAP authentication server or Active Directory
1494 Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open. NetScaler Gateway XenApp or XenDesktop
       
1812

Used for RADIUS connections.       
NetScaler Gateway RADIUS authentication server
2598

 Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.
NetScaler Gateway XenApp or XenDesktop
3268

Used for Microsoft Global Catalog insecure LDAP connections. NetScaler Gateway
XenMobile 
LDAP authentication server or Active Directory
3269

Used for Microsoft Global Catalog secure LDAP connections. NetScaler Gateway
XenMobile 
LDAP authentication server or Active Directory
4443
Used for accessing the XenMobile console by an administrator through the browser.
Access point (browser) XenMobile
7279   
Default port used for checking Citrix licences in and out.      
XenMobile
Citrix Vendor Daemon
8443         
Used for enrollment, Worx Store and mobile app management (MAM). 
XenMobile
NetScaler Gateway
Devices
XenMobile
9080  
Used for HTTP traffic between NetScaler and the XenMobile NetScaler Connector.   
NetScaler
XenMobile NetScaler Connector
9443 Used for HTTPS traffic between NetScaler and the XenMobile NetScaler Connector.       
NetScaler XenMobile NetScaler Connector
27000   
Default port used for accessing the external Citrix License Server.
XenMobile
Citrix License Server
45000
80   
Used for communication between two XenMobile VMs when deployed in a cluster.   XenMobile XenMobile

 

Opening XenMobile Ports to Manage Devices

You must open the following ports to allow XenMobile to communicate in your network.

TCP port 
Description Source Destination
25
Default SMTP port for the XenMobile notification service.If your SMTP server uses a different port, ensure your firewall does not block that port. XenMobile SMTP server
80 and 443         
Enterprise App Store connection to Apple iTunes App Store (ax.itunes.apple.com), Google Play, or Windows Phone Store. Used for publishing apps from the app stores through Citrix Mobile Self-Serve on iOS, Worx Home for Android, or Worx Home for Windows Phone.
XenMobile

Apple iTunes App Store (ax.itunes.apple.com)

Apple Volume Purchase Program (vpp.itunes.apple.com)

For Windows Phone: login.live.com and *.notify.windows.com

Google Play (play.google.com)

Used for outbound connections between XenMobile and Nexmo SMS Notification Relay. Nexmo SMS Relay Server
443
      
  
        
          
Used for outbound connections to AutoDiscovery server. XenMobile https://discovery.mdm.zenprise.com
 Used for enrollment and agent setup for Android and Windows devices, the XenMobile web console, and MDM Remote Support Client. Internal LAN and WiFi
 
 Used for enrollment and agent setup for Android and Windows Mobile.       
Internet XenMobile
1433      
Used for connections to a remote database server (optional).
XenMobile   
SQL Server
2195

Used for Apple Push Notification service (APNs) outbound connections to gateway.push.apple.com for iOS device notifications and device policy push. XenMobile Internet (APNs hosts using the public IP address 17.0.0.0/8)

2196         

Used for APNs outbound connections to feedback.push.apple.com for iOS device notification and device policy push. 
   
5223

Used for APNs outbound connections from iOS devices on Wi-Fi networks to *.push.apple.com. iOS devices on WiFi networks
Internet (APNs hosts using the public IP address 17.0.0.0/8)
8443         Used for enrollment of iOS and Windows Phone devices. Internet XenMobile
LAN and WiFi

Port Requirement for Auto Discovery Service Connectivity

This port configuration ensures that Android devices connecting from Worx Home for Android, versions 10.2 and 10.3, can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note:   ADS connections might not work with your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

Customers interested in enabling certificate pinning must do the following prerequisites:

  • Collect XenMobile Server and NetScaler certificates. The certificates need to be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

New certificate pinning improvements require that devices connect to ADS before the device enrolls. This ensures that the latest security information is available to Worx Home for the environment in which the device is enrolling. Worx Home will not enroll a device that cannot reach the ADS. Therefore, opening up ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Worx Home 10.2 for Android, open port 443 for the following FQDN and IP addresses:

FQDN

IP address

discovery.mdm.zenprise.com

54.225.219.53

54.243.185.79

107.22.184.230

107.20.173.245

184.72.219.144

184.73.241.73

54.243.233.48

204.236.239.233

107.20.198.193