Citrix ADC and CVAD Firewall Rules
Navigation
- Change Log
- Citrix ADC Firewall Rules
- Citrix ADM Firewall Rules
- Citrix Virtual Apps and Desktops Firewall Rules
- Citrix Provisioning Firewall Rules
See CTX101810 Communication Ports Used by Citrix Technologies
:idea: = Recently Updated
Change Log
- 2020 Nov 13 - CTX286215 How to change Logstream source IP to NSIP on ADC.
- 2020 Oct 17 - ADM - added 443/8443 from ADM Agents to ADM
- 2018 June 11 - MAS Firewall - added MAS Floating IP and MAS Agents
- 2018 June 9 - StoreFront to Domain Controllers in Trusted Domains - added rules from Citrix Discussions
- 2018 June 6 - added NSIP firewall rules for NetScaler MAS Pooled Licensing
- 2018 May 24 - updated Director->HDX Insight firewall rules to indicate Director as the source (Source = Luke in the comments)
Citrix ADC Firewall Rules
| From | To | Protocol / Port | Purpose |
|---|---|---|---|
| Administrator machines | NSIPs (and/or SNIPs) | TCP 22 TCP 80 TCP 443 TCP 3010 TCP 3008 | SSH and HTTP/SSL access to NetScaler configuration GUI. TCP 3008/3010 is Java and 3008 is used if traffic is encrypted. Java not needed in 10.5 build 57 and newer. |
| Administrator machines | NetScaler SDX SVM, XenServer | TCP 22 TCP 80 TCP 443 | To administer NetScaler SDX |
| Administrator machines | NetScaler Lights Out Module | TCP 443 TCP 623 TCP 5900 | CTX200367 |
| NSIP SNIP | DNS servers | Ping UDP 53 TCP 53 | Ping is used for monitoring. Can be turned off by load balancing on the same appliance. |
| NSIPs SNIP | NetScaler MAS | TCP 27000 TCP 7279 | Pooled Licensing |
| NSIPs SNIP | NTP servers | UDP 123 | NTP |
| NSIPs SNIP | Syslog server | UDP 514 | Syslog |
| NSIPs | callhome.citrix.com cis.citrix.com taas.citrix.com | TCP 443 | Call Home |
| NSIPs (default) SNIP | LDAP Servers(Domain Controllers) | TCP 389 (Start TLS) TCP 636 (Secure LDAP) | Secure LDAP requires certificates on the Domain Controllers. Secure LDAP enables password changes when they expire.SNIP if Load Balanced on same appliance |
| NSIPs | LDAP Servers | TCP 389 TCP 636 | Monitor Domain Controllers |
| NSIPs (default) SNIP | RADIUS servers | UDP 1812 | RADIUS is used for two-factor authentication. SNIP if Load Balanced on same appliance |
| SNIP | RADIUS servers | UDP 1812 Ping | Monitor RADIUS servers |
| NetScaler SDX Service virtual machine | NSIPs | Ping TCP 22 TCP 80 TCP 443 | Only if NetScaler VPX runs as a virtual machine on top of NetScaler SDX |
| Local GSLB Site IP SNIP | GSLB Site IP (public IP) in other datacenter | TCP 3009 TCP 3011 | GSLB Metric Exchange Protocol between appliance pairs |
| NSIPs | GSLB Site IP (public IP) in other datacenter | TCP 22 TCP 3008 TCP 3010 | GSLB Configuration Sync |
| Local GSLB Site IP SNIP | All Internet | Ping UDP 53 TCP (high ports) | RTT to DNS Servers for Dynamic Proximity determination |
| SNIP | StoreFront Load Balancing VIP | TCP 443 | NetScaler Gateway communicates with StoreFront |
| SNIP | StoreFront servers | TCP 80 TCP 443 TCP 808 | StoreFront Load Balancing |
| NSIPs | StoreFront servers | TCP 80 TCP 443 | Monitor StoreFront servers |
| StoreFront servers | NetScaler Gateway VIP (DMZ IP) | TCP 443 | Authentication callback from StoreFront server to NetScaler Gateway. |
| SNIP | Each individual Delivery Controller in every datacenter | TCP 80 TCP 443 | Secure Ticket Authorities. This cannot be load balanced. TCP 443 only if certificates are installed on the Delivery Controllers. |
| SNIP | All internal virtual desktops and session hosts (subnet rule?) | TCP 1494 TCP 2598 UDP 1494 UDP 2598 UDP 16500-16509 | HDX ICA Enlightened Data Transport Session Reliability UDP Audio |
| All Internet All internal users | NetScaler Gateway VIP (public IP) | TCP 80 TCP 443 UDP 443 | Connections from browsers and native Receivers DTLS for UDP Audio |
| All Internet All internal DNS servers | SNIP ADNS Listener (Public IP) | UDP 53 TCP 53 | ADNS (for GSLB) |
| Web logging server | NSIPs | TCP 3010 | Web logging polls the NetScalers. |
| NSIPs | NetScaler MAS or other SNMP Trap Destination | UDP 161 UDP 162 | SNMP Traps |
| NSIPs SNIP | NetScaler MAS or other AppFlow Collector | UDP 4739 TCP 5557, 5558 TCP 5563 | AppFlow (IPFIX, Logstream, and Metrics) |
| NSIP | mfa.cloud.com trust.citrixworkspacesapi.net | TCP 443 | Native OTP Push (DNS required) |
- Authentication traffic uses NSIPs by default. This can be changed by creating a local Load Balancing Virtual Server on the same appliance and sending authentication traffic through the Load Balancing VIP.
- Several of the Load Balancing monitors run as Perl scripts, which are sourced from the NSIPs, not SNIP. But actual load balancing traffic uses SNIP as the source IP.
- DNS Name Servers use ping for monitoring. This can be disabled by creating a local Load Balancing Virtual Server on the same appliance and sending DNS traffic through the load balancer.
- In a ADC with a dedicated management network and default route on a different data network, configure Policy Based Routes (PBRs) to send NSIP-sourced traffic through a router on the NSIP subnet.
- Logstream defaults to SNIP as source but can be changed to NSIP. See CTX286215.
Citrix ADM Firewall Rules
Citrix Application Delivery Management (ADM) monitors and manages the ADC appliances.
| From | To | Protocol / Port | Purpose |
|---|---|---|---|
| ADM Floating IP ADM Agent | NSIPs | Ping TCP 22 TCP 80 TCP 443 | Discovery and configuration of ADC devices |
| NSIPs | ADM Floating IP ADM Agent | TCP 80 TCP 443 | Nitro |
| ADM (Primary, Secondary) | NSIPs | UDP 161 | SNMP |
| ADM Agents | ADM Floating IP | TCP 443 TCP 7443 TCP 8443 | Agent Communication |
| NSIPs | ADM Floating IP ADM Agent | UDP 4739 | AppFlow |
| SNIP | ADM Floating IP ADM Agent | TCP 5563 | Metrics Collector |
| NSIPs SNIP | ADM Floating IP ADM Agent | TCP 5557, 5558 | Logstream (ULFD) |
| NSIPs | ADM Floating IP ADM Agent | UDP 161 UDP 162 | SNMP Traps |
| NSIPs | ADM Floating IP ADM Agent | UDP 514 | Syslog |
| CPX NSIPs VPX NSIPs | ADM Floating IP ADM Agent | TCP 27000 TCP 7279 | Pooled Licensing |
| Administrator Machines | ADM Floating IP ADM Agent | TCP 22 TCP 80 TCP 443 | Web-based GUI |
| Director Servers | ADM Floating IP | TCP 80 TCP 443 | Insight Integration with Director |
| ADM | LDAP(S) LDAP(S) VIP | TCP 389 TCP 636 | LDAP authentication |
| ADM | Mail Server | TCP 25 | Email alerts |
| ADM | NTP Server | UDP 123 | NTP |
| ADM | Syslog Server | UDP 514 | Syslog |
Citrix Virtual Apps and Desktops Firewall Rules
| From | To | Protocol / Port | Purpose |
|---|---|---|---|
| Administrator machines | Delivery Controllers | TCP 80/443 TCP 3389 | PowerShell RDP |
| Delivery Controllers | SQL Server | TCP 1433 UDP 1434 Other static port | SQL database |
| Delivery Controllers | vCenter | TCP 443 | vCenter |
| Delivery Controllers | SCVMM (Hyper-V) | TCP 8100 | SCVMM |
| Delivery Controllers | Citrix Licensing | TCP 27000 TCP 7279 TCP 8082-8083 | Citrix Licensing |
| StoreFront servers | Delivery Controllers | TCP 80 TCP 443 | XML Secure Ticket Authority |
| StoreFront servers | StoreFront servers | TCP 808 | Subscription Replication |
| StoreFront servers | Domain Controllers in Trusted Domains | TCP 88 TCP 135 TCP 445 TCP 389/636 TCP 49151-65535 | RPC Discussions |
| Administrator machines | StoreFront servers | TCP 3389 | RDP |
| Administrator machines | Citrix Licensing | TCP 8082-8083 TCP 3389 | Web-based administration GUI RDP |
| Delivery Controllers | All VDAs | TCP 80 | Brokering |
| All VDAs | Delivery Controllers | TCP 80 | Registration |
| All VDAs | Global Catalogs (Domain Controllers) | TCP 3268 | Registration |
| All Server OS VDAs | Remote Desktop Licensing Server | RPC and SMB | Remote Desktop Licensing |
| All Workspace apps (Internal) | StoreFront SSL Load Balancing VIP | TCP 80 TCP 443 | Internal access to StoreFront |
| All Workspace apps | Citrix Gateway VIP | TCP 80 TCP 443 | External (or internal) access to Citrix Gateway |
| All Workspace apps (Internal) | All VDAs | TCP 1494 UDP 1494 TCP 2598 UDP 2598 UDP 16500-16509 | ICA/HDX EDT Session Reliability UDP Audio |
| Administrator machines | Director | TCP 3389 | RDP |
| Administrator machines Help Desk machines | Director | TCP 80 TCP 443 | Web-based GUI |
| Director | Delivery Controllers | TCP 80 TCP 443 | |
| Director Administrator machines Help Desk machines | All VDAs | TCP 135 TCP 3389 | Remote Assistance |
Also see Microsoft Technet Which ports are used by a RDS 2012 deployment?
Citrix Provisioning Firewall Rules
| From | To | Protocol / Port | Purpose |
|---|---|---|---|
| Provisioning Servers | SQL Server | TCP 1433 UDP 1434 Other static port | SQL database for Provisioning Services |
| Provisioning Servers | Provisioning Servers | SMB | File copy of vDisk files |
| Provisioning Servers | Provisioning Servers | UDP 6890-6909 | Inter-server communication |
| Provisioning Servers | Citrix Licensing | TCP 27000 TCP 7279 TCP 8082-8083 TCP 80 | Citrix Licensing |
| Provisioning Servers | Controllers | TCP 80 TCP 443 | Setup Wizards to create machines |
| Provisioning Servers | vCenter | TCP 443 | Setup Wizards to create machines |
| Provisioning Servers | Target Devices | UDP 6901 UDP 6902 UDP 6905 | Provisioning Services Console Target Device power actions (e.g. Restart) |
| Administrator machines | Provisioning Servers | TCP 3389 TCP 54321 TCP 54322 TCP 54323 | RDP SOAP |
| Controllers | Provisioning Servers | TCP 54321 TCP 54322 TCP 54323 | Add machines to Catalog |
| Target Devices | DHCP Servers | UDP 67 | DHCP |
| Target Devices | KMS Server | TCP 1688 | KMS Licensing |
| Target Devices | Provisioning Servers | UDP 69 UDP 67/4011 UDP 6910-6969 | TFTP PXE Streaming (expanded port range) |
| Target Devices | Provisioning Servers | UDP 6969 UDP 2071 | Two-stage boot (BDM) |
| Target Devices | Provisioning Servers | TCP 54321 TCP 54322 TCP 54323 | Imaging Wizard to SOAP Service |