Citrix Ports and Commands
Website Visitors:
Contents
Citrix most used port list:
| License Manager Daemon(lmgrd.exe) | 27000 | Handles initial point of contact for license request. |
|---|---|---|
| Citrix Vendor Daemon(Citrix.exe) | 7279 | Check-in/check-out of Citrix licenses |
| License Management Console | 8082 | Web-based administration console |
| Citrix Receiver | 80/443 | Communication with Merchandising Server |
| ICA | 1494 | Access to applications and virtual desktops |
| Session Reliability | 2598 | Access to applications and virtual desktops |
| IMA | 2512 | Communication between Xenapp Servers. |
| Management Console | 2513 | Citrix Management Consoles |
| Application / Desktop Request | 80/8080/443 | XML Service |
| STA | 80/8080/443 | Secure Ticketing Authority (embedded into XML Service) |
| RDP | 3389 | To access the windows desktop remotely |
| SQL Server Port | 1433 | Used for Data Store. |
| Edgesight Server | 9035 | Communications to Edgesight Server |
8083 – Simple License Service port (required for XenDesktop 7.x)
XenDesktop and XenApp use port 8008 for Receiver for HTML5 connections.
By default the Citrix XML service listens on TCP port: 80. Although this is the default port, Citrix recommends using port 8080. We can change this port by ctxxmlss.exe command.
Common Port numbers:
Server/Management protocols:
DNS: UDP 53
DHCP: UDP 67,68
NTP: TCP 123
SNMP: TCP 161
LDAP: TCP 389
LDAPS: TCP 636
SMB: TCP 445
Web browser protocols:
HTTP: TCP 80
HTTPS: TCP 443
Remote communication protocols:
TELNET: TCP 23
SSH: TCP 22
RDP: TCP 3389
File Transfer Protocol
FTP: TCP 20,21
SFTP: TCP 22 (same port as SSH)
TFTP: UDP 69
Email protocols:
SMTP: TCP 25
POP3: TCP 110
IMAP: TCP 143
Citrix Commands
- aierun Run isolation environment. Primarily for use in scripting environments.
- Aiesetup Install or uninstall an application from an isolation environment.
- altaddr Specify server alternate IP address.(Use altaddr to query and set the alternate (external) IP address for a server running Citrix XenApp. The alternate address is returned to clients that request it and is used to access a server that is behind a firewall.)
- app Run application execution shell.(App is a script interpreter for secure application execution. Use App to read execution scripts that copy standardized .ini type files to user directories before starting an application, or to perform application-related cleanup after an application terminates.)
- apputil Add servers to Configured Servers list for published applications.
- auditlog Generate server logon/logoff reports.
- chfarm Change the server farm membership of the server.
- CTXKEYTOOL Use ctxkeytool to enable and disable the IMA encryption feature and generate, load, replace, enable, disable, or back up farm key files.
- dscheck Validate the integrity of the server farm data store.
- dsmaint Configure the server farm’s data store.
- enablelb Enable load balancing for servers that fail health monitoring tests.
- acrcfg – Configure Auto Client Reconnect settings
- auditlog – allows you to get an audit for the user,time, failed and success logons in detail.
- change – allows you to change logon or change port or change user.
- ctxxmlss – used to configure citrix xml service port number(Default is 80).
- icaport – change value of tcp/ip port for ica terminal sessions.(def is 1494. if u want to change it, use icaport cmd)
- imaport – change ima port configuration utility
- query – used to query farm, process,server, session,termserver and user.
- qfarm /load – displays load on server
- qfarm /app – display published applications currently being run
- qfarm /online – displays online servers
- qfarm /offline – displays server that are offline or hung, IMA service not running
- qwinsta- Display information about Remote Desktop Sessions. Default is current server. Displays users for current(or any given) server.
- twconfig – configure ica settings for graphics performance.
dsmaint verifylhc [/autorepair] run this command atleast an year to verify LHC. All the citrix ports and their usage is given at link: Citrix Ports and Usage and Xenapp 6 Commands
All Citrix Ports:
Citrix Cloud
The Citrix cloud connector needs TCP 443 opened for all outbound communications to the Citrix Managed Control plane. Additionally the Host management and Machine Creation Management capabilities of Citrix cloud also require TCP 9350-9354 opened for communications to the Citrix Managed control plane.
NetScaler
The following ports must be open between each ADC appliance in the pair:
- UDP 3003 – Heartbeat exchange communication.
- TCP 3008 – Secure high availability configuration synchronization.
- TCP 3009 – Secure command propogation and MEP (Metric Exchange Protocol).
- TCP 3010 – High availability configuration synchronization.
- TCP 3011 – Command propogation and MEP (Metric Exchange Protocol).
- SSH 22 – Used by rsync during file synchronization between primary and secondary appliance.
Note that depending on the NetScaler configuration, network traffic can originate from SNIP, MIP or NSIP interfaces.
GSLB Ports
DNS: UDP 53 and TCP 53. TCP Ports – MEP uses port TCP 3009 or TCP 3011 between the ADC pairs. TCP 3009 is encrypted. GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 (secure) from the NSIP (management IP) to the remote public MEP IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP.
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| NetScaler Appliance (General) | ||||
| NetScaler in cluster setup | UDP | 7000 | Cluster heart beat exchange | |
| NetScaler Appliance (for High Availability) | UDP | 3003 | Exchange of hello packets for communicating UP/DOWN status (heartbeat) | |
| TCP | 3008 | Secure High Availability configuration synchronization | ||
| TCP | 3009 | For secure MEP. | ||
| TCP | 3010 | Non-secure high availability configuration synchronization. | ||
| TCP | 3011 | For non-secure MEP. | ||
| UDP | 162 | Traps from NetScaler to Command Center | ||
| TCP | 22 | Used by the rsync process during file synchronization in high availability setup | ||
| DNS Server | TCP/UDP | 53 | DNS name resolution | |
| NetScaler Lights Out Management | TCP | 4001 5900/623 |
Daemon which offers complete and unified configuration management of all the routing protocols | |
| Integrated Management Interface | TCP/UDP | 389 | LDAP connection | |
| Thales HSM | TCP | 9004 | RFS and Thales HSM | |
| NetScaler Insight Center/NetScaler MAS | UDP | 4739 | For AppFlow communication | |
| NetScaler MAS | SNMP | 161, 162 | To send SNMP events | |
| NetScaler MAS | Syslog | 514 | To receive syslog messages in NetScaler MAS | |
| NetScaler MAS | TCP | 5557 | For logstream communication from NetScaler to NetScaler MAS. | |
| Admin Workstation | NetScaler Appliance | TCP | 80/443 | HTTP(s) – GUI Administration |
| TCP | 8443 | If an HTML client is used, then only 8443 port needs to be open between client and Command Center server. Citrix recommends using an HTML client as much as possible. | ||
| TCP | 22 | SSH Access | ||
| Command Center Server | TCP | 9091/9092/9094 | For opening TCP communication between client and the server | |
| TCP | 9091/9092 | Used to refresh, update, and query objects pertaining to Discovery (Maps/Devices, etc.)/Fault Management/Administration/ Configuration Management modules. |
NetScaler Gateway
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| NetScaler Gateway | LDAP Server | TCP | 636 | LDAP SSL connection |
| TCP | 3268 | LDAP connection to Global Catalog | ||
| TCP | 3269 | LDAP connection to Global Catalog over SSL | ||
| TCP | 389 | LDAP plain text | ||
| RADIUS Server | TCP | 80/8080/443 | XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. | |
| TCP\UDP | 1813 | RADIUS Accounting | ||
| TCP\UDP | 1645/1812 | RADIUS connection | ||
| XenDesktop/XenApp VDA | TCP UDP |
2598 | Access to applications and virtual desktops by ICA/HDX with Session ReliabilityEDT protocol requires 2598 to be open for UDP. | |
| Secure Ticketing Authority | TCP | 80/8080/443 | Secure Ticketing Authority (embedded into XML Service) | |
| XenDesktop–Virtual Desktop/XenApp Worker Server | TCP, UDP | 1494 | Access to applications and virtual desktops by ICA/HDXEDT protocol requires 1494 to be open for UDP. | |
| TCP | 443 | Access to applications and virtual Desktops by ICA/HDX over SSL |
||
| TCP | 8008 | Access to applications and virtual desktops by ICA/HDX from HTML5 Receiver | ||
| IP | 50 | IPSec Encapsulating Security Protocol (ESP) traffic | ||
| StoreFront | TCP | 443 | Callback URL to reach NetScaler Gateway virtual server from StoreFront | |
| NetScaler Gateway Plug-in | VPN/XenApp/XenDesktop | UDP | 3108/3168/3188 | For VPN tunnel with secure ICA connections -Download |
| TCP/UDP | 3148 | |||
| NetScaler Gateway | XenDesktop–Virtual Desktop/XenApp Worker Server | UDP | 3224-3324 | Access to applications and virtual desktops with Framehawk |
| Admin Workstation | NetScaler Gateway | TCP | 80/443 | HTTP(s) – GUI Administration |
| TCP | 8443 | If an HTML client is used, then only 8443 port needs to be open between client and Command Center server. Citrix recommends using an HTML client as much as possible. | ||
| TCP | 22 | SSH Access | ||
| NetScaler Gateway | DNS | TCP/UDP | 53 | Communication with the DNS server |
CTX113250 – Required Ports for Citrix NetScaler Gateway in DMZ Setup
NetScaler SD-WAN
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| SD-WAN Standard and Enterprise Edition | SD-WAN Standard and Enterprise Edition | UDP | 4980 | Static Virtual Path and Dynamic Virtual Path tunnels between SD-WAN SE/EE devices. |
| SD-WAN Center | TCP | 2156 | Reporting communication between SD-WAN Center and SD-WAN SE/EE devices. | |
| Citrix Cloud Zero Touch Deployment Service | TCP | 443 | Authentication communication between SD-WAN devices and Citrix Cloud Services. | |
| RADIUS | TCP | 1812 | Default port for authentication protocol. For communication between SD-WAN SE/EE and RADIUS external authentication server. | |
| TACACS+ | TACACS | 49 | Default port for authentication protocol. For communication between SD-WAN SE/EE and TACACS external authentication server. | |
| SNMP | UDP | 161, 162 | SNMP authentication and polling to SD-WAN SE/EE devices. | |
| NetFlow | UDP | 2055 | NetFlow polling to SD-WAN SE/EE devices. | |
| AppFlow (NetScaler MAS) | TCP | 4739 | For AppFlow communication between NetScaler MAS and SD-WAN SE/EE devices. | |
| API | TCP | 80/443 | For NITRO API communication to SD-WAN SE/EE devices. | |
| SD-WAN Center | Citrix Cloud Zero Touch Deployment Service | TCP | 443 | Authentication communication between SD-WAN devices and Citrix Cloud Services. |
| SD-WAN WANOP Edition | SD-WAN WANOP Edition | TCP | N/A | SD-WAN WO Edition transparently optimizes TCP traffic between two sites. The original source destination and port go unchanged throughout the segments of the network. |
| API (NetScaler MAS) | TCP | 80/443 | For NITRO API communication between NetScaler MAS and SD-WAN WANOP devices. | |
| SSH (NetScaler MAS) | TCP | 22 | For SSH communication between NetScaler MAS and SD-WAN WANOP devices. | |
| AppFlow (NetScaler MAS) | TCP | 4739 | For AppFlow communication between NetScaler MAS and SD-WAN WANOP devices. | |
| NetScaler MAS | ICMP | N/A | For network reachability between NetScaler MAS and SD-WAN WANOP devices. | |
| RADIUS | TCP | 1812 | Default port for authentication protocol. For communication between SD-WAN WO and RADIUS external authentication server. | |
| TACACS+ | TACACS | 49 | Default port for authentication protocol. For communication between SD-WAN WO and TACACS external authentication server. | |
| SNMP | UDP | 161, 162 | SNMP authentication and polling to SD-WAN WO devices. | |
| SD-WAN WANOP Edition (SSL Acceleration Enabled) | SD-WAN WANOP Edition (SSL Acceleration Enabled) | TCP | 443 | SD-WAN WO Edition secure peering feature encrypts traffic between SD-WAN peers. |
Command Center Server
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Command Center Server | NetScaler Appliance | TCP | 9094 | Used specifically by Configuration Management module while executing/scheduling tasks |
| TCP | 1099/6010 | Used when you execute the Invoke NSCLI option Under Device, right click under Map Between Command Center Server and NetScaler. The ping is the SNMP ping. | ||
| TCP | 22 | Connect SSH/SFTP to the NetScaler device from Command Center server | ||
| UDP | 161, 162 | SNMP Polling to NetScaler | ||
| TCP | 22 | For NITRO communication | ||
| Command Center Server | TCP | 1099, 2014 | Communication between Command Center High Availability(HA) servers | |
| TCP | 6011 | Communication between Command Center High Availability (HA) servers when there is a firewall between the Primary and Secondary servers |
NetScaler Insight Center
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| NetScaler Insight Center | NetScaler Appliance | TCP | 80/443 | For NITRO communication |
| ICMP | – | To detect the network reachability | ||
| TCP | 22 | For SSH communication | ||
| NetScaler Insight Center | Database node Connector node Agent node |
TCP | 22 | For SSH communication |
| Connector node | Database node | TCP | Random Port | Specific to scale out deployment |
| Connector node | ||||
| Database node | ||||
| TCP | Random Port | Specific to scale out deployment | ||
| NetScaler Insight Center | Connector node | TCP | 11921 | Specific to scale out deployment |
| Agent node | Connector node | TCP | 11921 | Specific to scale out deployment |
| Agent node | NetScaler Insight Center | TCP | 80 | Specific to scale out deployment |
NetScaler MAS
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| NetScaler MAS | NetScaler or NetScaler SD-WAN instance | TCP | 80/443 | For NITRO communication |
| NetScaler MAS | NetScaler or NetScaler SD-WAN instance | TCP | 22 | For SSH communication |
| NetScaler MAS | NetScaler MAS | TCP | 22 | For synchronization between NetScaler MAS servers deployed in high availability mode. |
| NetScaler MAS | NetScaler NetScaler SD-WAN NetScaler MAS |
ICMP | No reserved port | To detect network reachability between NetScaler MAS and NetScaler instances, SD-WAN instances, or the secondary NetScaler MAS server deployed in high availability mode. |
| NetScaler MAS | Users | TCP | 25 | To send SMTP notifications from NetScaler MAS to users. |
| NetScaler MAS | LDAP external authentication server | TCP | 389/636 | Default port for authentication protocol. For communication between NetScaler MAS and LDAP external authentication server. |
| NetScaler MAS | NTP Server | UDP | 123 | Default NTP server port for synchronizing with multiple time sources. |
| NetScaler MAS | RADIUS external authentication server | RADIUS | 1812 | Default port for authentication protocol. For communication between NetScaler MAS and RADIUS external authentication server. |
| NetScaler MAS | TACACS external authentication server | TACACS | 49 | Default port for authentication protocol. For communication between NetScaler MAS and TACACS external authentication server. |
| NetScaler MAS | NetScaler MAS | TCP | 5454 | Default port for communication, and database synchronization in between NetScaler MAS nodes in high availability mode. |
| NetScaler MAS license server | NetScaler CPX instance | TCP | 27000 | License port for communication between NetScaler MAS license server and CPX instance. |
| – | – | TCP | 7279 | Citrix vendor deamon port. |
Refer to the Citrix Documentation for more information on NetScaler MAS Ports.
StoreFront
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| User Device | StoreFront Server | TCP | 80/443 | Connecting to the Store or Receiver for Web site hosted on StoreFront server |
| StoreFront Server | Domain Controller | TCP/UDP | 389 | LDAP connection to query user-friendly name and email addresses |
| TCP/UDP | 88 | Kerberos | ||
| TCP/UDP | 464 | Native Windows authentication protocol to allow users change expired passwords | ||
| Microsoft SQL Server | TCP | 1433 | For StoreFront 1.2 and earlier. TCP port used to connecting StoreFront and SQL server to read/write application information to the subscription database. You can use SQL database as an alternative to the built-in ESE+Mesh from StoreFront 3.0.1 onwards. |
|
| StoreFront Server | TCP | Randomly selected unreserved port per service.Scroll down to the end of this table for configuration of firewalls when you place StoreFront in its own network. | Used for Peer-to-peer Services (Credential Wallet, Subscriptions Store (1 per Store). This service uses MS .Net NetPeerTcpBinding which negotiates a random port on each server between the peers. Only used for communication within the cluster. | |
| TCP | 808 | Used for Subscription Replication Services. Not installed by default. Used to replicate subscriptions between associated clusters | ||
| XenDesktop Controller, XenApp Controller, XenMobile | TCP | 80/443 | For application and desktop requests. | |
| NetScaler | TCP | 8000 | For Monitoring Service used by NetScaler load balancer. |
Use the following information for configuration of firewalls when you place StoreFront in its own network:
- Locate the config files:
C:\Program Files\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService\Citrix.DeliveryServices.SubscriptionsStore.ServiceHost.exe.config
C:\Program Files\Citrix\Receiver StoreFront\Services\CredentialWallet\Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe.config - Edit both the config files changing the values for endpoint URIs.
For example –so any address that starts with net.p2p:// so it includes the port. So you should end up with and becomes and so on for all other net.p2p addresses. - Restart the subscriptions store and credential wallet.
- The local firewall will include rules for allowing per application access, so it is not locked down by port.
XenMobile
Refer to the following link for XenMobile Ports – Port Requirements
Password Manager/Single Sign-On
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Single Sign-On Plugin, Single Sign-On Service and Admin Workstation | Credential Store – File Share | |||
| TCP/UDP | 389 | |||
| Credential Store – Active Directory integrated | TCP/UDP | |||
| TCP | 3268 | |||
| TCP | 3269 | |||
| TCP/UDP | 524 | |||
| Credential Store – Novell File Share | TCP | |||
| Single Sign-On Plugin | Single Sign-On Service |
AppDNA 7.x
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| AppDNA Server | AppDNA website | HTTP | 80 | Connections between AppDNA and its website. |
| Hyper-V host or virtual machine; Active Directory; System Center Configuration Manager | DCOM | 135 | Remote connections to optional components | |
| IIS site | HTTP | 8199 | Connections between AppDNA and IIS; port is configurable | |
| Virtual machine | TCP | 54593 | Connections with the AppDNA Remote Admin agent (for Install Capture); port is configurable |
|
| Network share | TCP/UDP | 445 | SMB direct | |
| Name resolution server | TCP/UDP | 53 | DNS | |
| Microsoft SQL server | TCP | 1433 1746 |
Connections between AppDNA and SQL server | |
| 1748 | ||||
| 1750 | ||||
| AppDNA License server | TCP | 8079 | Connections between AppDNA and its license server | |
| Citrix License Server | TCP | 7279 27000 |
connections between AppDNA and the Citrix License Server |
|
| AppDNAClient | AppDNA website | HTTP | 80 | Connections between AppDNA clients and the AppDNA web site |
| HTTPS | 443 | |||
| Hyper-V host or virtual machine | DCOM | 135 | Remote connections to optional components. |
Citrix License Server
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Any Citrix Component | Citrix License Server | TCP | 27000 | Handles initial point of contact for license requests |
| TCP | 7279 | (Inbound/Outbound from licensing server and Xenmobile server) Check-in/check-out of Citrix licenses(Citrix.exe) |
||
| Admin Workstation | Citrix License Server | TCP | 8082 | Web-based administration console (Lmadmin.exe) |
| TCP | 8083 | Simple License Service port (required for XenDesktop 7.x) | ||
| TCP | 80 | Licensing Config PowerShell Snap-in Service used by Citrix.Licensing Config.SdkWcfEndpoint.exe |
Citrix Online Products
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| User Workstation | GoToMeeting, GoToWebinar, GoToMyPC, GoToAssist | TCP | 80/443/8200 | Contacting GoToMeeting service broker using the Endpoint Gateway (EGW) |
Session Recording Server
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Server OS Virtual Delivery Agent | Session Recording Server | TCP | 80/443 | Communication between Session Recording Agent installed on Server OS VDA to connect to the Session Recording Server. Default installation uses HTTPS/SSL to secure communications. If SSL is not configured, use HTTP. |
| Session Recording Policy Console | Session Recording Server | TCP | 80/443 | Communication between server where the Session Recording Policy Console is installed and Session Recording Server |
| Session Recording Player | Session Recording Server | TCP | 80/443 | Communication between the workstation where the Session Recording Player is installed and Session Recording Server. |
Common Citrix Communication Ports
| Source | Type | Port | Details |
|---|---|---|---|
| Citrix Receiver | TCP | 80/443 | Communication with StoreFront |
| ICA/HDX | TCP | 1494 | Access to applications and virtual desktops |
| ICA/HDX with Session Reliability | TCP UDP |
2598 | Access to applications and virtual desktops EDT protocol requires 2598 to be open for UDP. |
| ICA/HDX over SSL | TCP | 443 | Access to applications and virtual desktops |
| ICA/HDX from HTML5 Receiver | TCP | 8008 | Access to applications and virtual desktops |
| ICA/HDX Audio over UDP | UDP | 16500-16509 | Port range for ICA/HDX audio |
| IMA | TCP | 2512 | Independent Management Architecture (IMA) |
| Management Console | TCP | 2513 | Citrix Management Consoles and *WCF services Note: For FMA based platforms 7.5 and later, port 2513 is NOT used. |
| Application/Desktop Request |
TCP | 80/8080/443 | XML Service |
| STA | TCP | 80/8080/443 | Secure Ticketing Authority (embedded into XML Service) |
| Delivery Controller | TCP | 89 | Used by Secondary Broker when LHC is enabled in 7.12 and above. (This use of port 89 might change in future releases) |
| *Note: In XenApp 6.5 port 2513 is used by XenApp Command Remoting Services through WCF |
EdgeSight
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| EdgeSight Server | Microsoft SQL Server | TCP | 1433 | Communication with SQL Server for Agent payload uploads |
| Microsoft SQL Server Reporting Services | TCP | 80/443 | Communication with Reporting Services when creating EdgeSight reports | |
| EdgeSight Agent | TCP | 9035 | Communication with RS CorSvcon EdgeSight Agent from within the EdgeSight Console | |
| SNMP Server | TCP | 161 | In case alerts are forwarded by means of SNMP | |
| SMTP | TCP | 25 | In case alerts are forwarded by means of emails | |
| Microsoft SQL Server Reporting Services | Microsoft SQL Server | TCP | 1433 | Database access |
| EdgeSight Agent | EdgeSight Server | TCP | 80/443 | Communication with EdgeSight Server for payloads and alerts |
| EdgeSight Agent (Loopback) | TCP | 9036 | EdgeSight Agent internal communication (client-side database) | |
| Admin Workstation | EdgeSight Server | TCP | 80/443 | Console access |
| EdgeSightAgent | TCP | 9035 | Accessing Real-Time data |
Federated Authentication Services
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| StoreFront | FAS Server | TCP | 80 | To send identity assertion of the user. |
| FAS Server | Microsoft Certificate Authority | TCP | 135 | Certificate Request. |
| Domain Controller | TCP/UDP | 389 | Validate the user account before creating a certificate request | |
| Microsoft Certificate Authority | FAS Server | TCP | 135 | Issue certificate to the certificate request from FAS Server. |
| Virtual Desktop Agent | FAS Server | TCP | 80 | Fetch the user certificate from the FAS Server. |
| Domain Controller | TCP/UDP | 389 | Authentication of user during application or desktop launch | |
| Note: The Microsoft CA accepts communication using Kerberos authenticated DCOM, which can be configured to use a fixed TCP port. To learn more about it, see Federated Authentication Service certificate authority configuration |
Provisioning Services
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Provisioning Server | Provisioning Server | UDP | 6890– 6909 | Inter-server communication |
| Microsoft SQL Server | TCP | 1433 | Communication with Microsoft SQL Server | |
| Domain Controller | TCP | 389 | Communication with Active Directory | |
| Target Device (PVS outbound communication on ports 6901, 6902 and 6905 for Target Devices starting with version 6.0) |
Broadcast/DHCPServer | UDP | 67 / 4011 | Optional: Obtaining network boot information in case DHCP options 66 -TFTP Server Name (Bootstrap Protocol Server) and 67-Boot file Name (Bootstrap Protocol Client) are not configured or boot from ISO/ local disk not used. |
| Broadcast/ PXEService | UDP | 69 | Trivial File Transfer (TFTP) for Bootstrap delivery | |
| TFTP Server | UDP | 6910 | Target Device logon at Provisioning services | |
| Provisioning Server | UDP | 6910– 6930 | vDisk Streaming (Streaming Service) (configurable) | |
| UDP | 6969 and 2071 | Two Stage Boot (BDM). Used in boot from ISO or USB scenarios only. | ||
| TCP | 54321-54323 | SOAP Service – Used by Imaging Wizards | ||
| Admin Workstation | Provisioning Server | TCP | 54321-54323 | SOAP Service – Used by Console and APIs (MCLI, PowerShell, etc.) |
SmartAuditor
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| SmartAuditor Agent | SmartAuditor Server | TCP/UDP | 1801 | MSMQ (Provides reliable transport of data from SmartAuditor Agent to SmartAuditor Serve rusing an MSMQ private message queue named CitrixSmAudData) |
| TCP | 2101 | MSMQ-DCs | ||
| TCP | 2103 | MSMQ-RPC | ||
| TCP | 2105 | MSMQ-RPC | ||
| TCP | 2107 | MSMQ-Mgmt | ||
| UDP | 3527 | MSMQ-Ping | ||
| TCP | 80/443 (Configurable) | Recording and Policy Check (Smart Auditor Policy Console) | ||
| Microsoft SQL Server | TCP/UDP | 1433 | Smart Auditor Database | |
| SmartAuditor Player | SmartAuditor Server (Broker) | TCP/UDP | 80/443 (Configurable) |
Stage Manager
| Source | Type | Port | Details |
|---|---|---|---|
| End-Device to StageManager Server User Interface | TCP | 3389 | RDP for Windows Guests |
| End-Device to Virtual Machines | TCP | 5900 | VNC for Linux Guests |
| TCP | 5900– 5999 | Connectionsfor XenServer | |
| End-Device to Virtualization Host | TCP | 2179 | Connections for Microsoft Hyper-V |
| TCP/UDP | 35110-35112 | Server Discovery ports for VMAgent/GuestAgent | |
| VMAgent to StageManager Server | TCP | 9443 | Secure (HTTPS) Server Discovery ports for VMAgent/GuestAgent |
| TCP | 389 | LDAP | |
| StageManager Server to Active Directory | TCP | 636 | LDAP over SSL(LDAPS) |
Storage Link
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Storage Link Service | TCP | 1433 | Microsoft SQL Server | |
| Database | Microsoft SQL Server | TCP | 1433 | MicrosoftSQLServer |
| TCP/UDP | 464 | Native Windows authentication protocol to allow users change expired passwords | ||
| TCP | 1433 | Only StoreFront 1.2and earlier. TCP port used to connecting StoreFront and SQL server to read/write application information to the subscription database. |
||
| StoreFront Server | TCP | Randomly selected unreserved port per service | Only StoreFront 2.0 and later. Used for Peer-to-peer Services (Credential Wallet, Subscriptions Store (1 per Store). This service uses MS.Net NetPeerTcp Binding which negotiates a random port on each server between the peers. Only used for communication within the cluster. | |
| TCP | 808 | Only StoreFront 2.0 and later. Used for Subscription Replication Services. Not installed by default.Used to replicate subscriptions between associated clusters. | ||
| XenDesktop Controller, XenApp Controller, AppController | TCP | 80 / 443/ 389 | For application and desktop requests. |
Workflow Studio
| Source | Type | Port | Details |
|---|---|---|---|
| Console | TCP | 8010 | Connection to remote runtime |
| Database | TCP | 1433 | MicrosoftSQL Server |
XenApp Prior to Version 7.5
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| XenAppServer | XenApp Server | TCP | 2512 | Worker to Controller and Controller to Controller communication |
| Microsoft SQL Server | TCP | 1433 | Microsoft SQL Server | |
| Power & Capacity Concentrator |
TCP | 1434 | 1434 | |
| TCP | 11168 | Only if Power & Capacity Management Agent has been installed: Communication with Concentrator | ||
| Application Streaming– AppHub on FileShare | SMB | 445 | Communication with Application Hub (FileServer/Share) | |
| HTTP/S | 80/443 | Communication with Application Hub (WebServer) | ||
| Admin Workstation | XenApp Server | TCP | 135 | Authentication of the admin user account |
| TCP | Randomly selected unreserved port | AppCenter to Xen AppController communication (via MFCOM service) | ||
| XenClient Synchronizer | XenClient Synchronizer | TCP | 443 | Used in scenarios with Remote Synchronizers which are located in branch offices |
| Hyper-VHost | RDP | 2179 | UsedbyHyper-V Management ServiceConsole(RDP) | |
| MicrosoftSQLServer | TCP | 1433 | SQL database port; this port needs to be open from remote and central XenClientEnterpriseSynchronizer servers. | |
| Domain Controller | TCP | 389 | Non-SSL port for LDAP to AD | |
| Non-SSL port for LDAP to AD | Non-SSL port for LDAP to AD | TCP | 443 | Used by XenClient Enterprise Engines to communicate with XenClient Enterprise Synchronizer. If not open, clients cannot register or otherwise communicate with XenClient Enterprise Synchronizer. |
| Admin Workstation | XenClient Synchronizer | TCP | 8443 | Used by the Administrator to communicate with XenClient Enterprise Synchronizer UI. |
XenDesktop/XenApp 7.5 and Later Versions
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Controller | Citrix XenServer Resource Pool Master | TCP | 80/443 | Communication with XenServer infrastructure |
| Microsoft SCVMM Server | TCP | 8100 | Communication with Hyper-V infrastructure | |
| VMware vCenter Server | TCP | 443 | Communication with vSphere infrastructure | |
| Microsoft SQL Server | TCP | 1433 | Microsoft SQL Server | |
| TCP | 1434 | Microsoft SQL Server. Note: Named instance connection requires UDP 1434 |
||
| Virtual Desktop | TCP | 80(Bidirectional) | XenDesktop 7 and later only. Controller initiates the connection when discovering local applications or for gathering information about local processes,performance data,etc. | |
| UDP | 9 | Wakeon LAN magic pocket (optional for Microsoft Configuration Manager Wakeon LAN) | ||
| TCP | 135 | Wake-up proxy (optional for Microsoft Configuration Manager Wakeon LAN) | ||
| Microsoft System Center Configuration Manager | TCP | 135 | WMI connection to ConfigMgr for Wakeon LAN | |
| Orchestration | TCP | 9095 | Orchestration | |
| Controller | TCP | 80 | Communication between Controllers. | |
| Director Server | Virtual Delivery Agent | TCP | 80 | Only XenDesktop 5.6 and earlier: Communication between Director and Virtual Delivery Agent Agent for WinRM1.1 |
| TCP | 5985 | Only XenDesktop 5.6 and earlier: Communication between Director and Virtual Delivery Agent Agent for WinRM2.0 | ||
| Desktop Director and Admin Workstation | Virtual Delivery Agent | TCP | 135 3389 |
Communication between Desktop Director and Virtual Delivery Agent Agent for Remote Assistance |
| TCP | 389 | LDAP Note: For the logon step, Desktop Director does not contact the AD but does a local logon using the native Windows API– LogonUser (which might internally be contacting the AD). |
||
| Endpoint (Receiver) | Virtual Delivery Agent | TCP,UDP | 2598 | Access to applications and virtual desktops by ICA/HDX with Session ReliabilityEDT protocol requires 2598 to be open for UDP. |
| TCP,UDP | 1494 | Access to applications and virtual desktops by ICA/HDX.EDT protocol requires 1494 to be open for UDP. | ||
| TCP | 443 | Access to applications and virtual desktops by ICA/HDX over SSL | ||
| TCP | 8008 | Access to applications and virtual desktops by ICA/HDX from HTML5 Receiver | ||
| UDP | 16500-16509 | Port range for ICA/HDX audio | ||
| UDP | 3224-3324 | ICA/HDX Framehawk | ||
| Virtual Delivery Agent (5.x and later) | Controller | TCP | 80(Bidirectional) | Used by process WorkstationAgent.exe for communicating with Controller |
| Virtual Delivery Agent (previous versions) | Controller | TCP | 8080 | Communication between Desktop Delivery Controller and Virtual Desktop Agent |
| Virtual Delivery Agent | Domain Controller | TCP | 3268 | Communication between Virtual Delivery Agent Agent and Microsoft Global Catalog used during the registration process in order to validate its list of configured |
| Admin Workstation | Director Server | TCP | 80/443 | Access to XenDesktop Director website |
| Controller | TCP | 80/443 | When using a locally installed Studio Console or the SDK to directly access the Controller. The following services listen on the Controller: • General brokering functionality (BrokerService.exe) • ActiveDirectoryIdentity Service (Citrix.ADIdentity.SdkWcfE ndpoint.exe) • Configuration Logging Service • Configuration Service (Citrix.Configuration.SdkWc fEndpoint.exe) • Delegated Admin Service • HostService (Citrix.Host.SdkWcfEndpoi nt.exe) |
|
| • MachineCreationService (Citrix.MachineCreation.Sdk WcfEndpoint.exe) • MachineIdentityService (Citrix.MachineIdentity.Sdk WcfEndpoint.exe) • License Configuration Service (Citrix.LicensingConfig.Sdk WcfEndpoint.exe) |
||||
| Virtual DeliveryAgent | TCP/UDP | Dynamically allocated high-port (49152-65535) |
When initiating a Remote Assistance session from a Windows 7 machine to a Windows Vista/ 7 Virtual Delivery | |
| TCP | 3389 | When initiating a Remote Assistance session from a Windows 7 machine to a WindowsXP Virtual Delivery Agent | ||
| Endpoint (Receiver) (Internal) | Virtual Delivery Agent | UDP | 3224-3324 | Access to applications and virtual desktops with Framehawk |
| DDC | Hyper-V Host | TCP | 445 | To add hosting connection |
Workspace Environment Management (WEM)
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| Infrastructure service | Agent host | TCP | 49752 | “Agent port”. Listening port on the agent host which receives instructions from the infrastructure service. |
| Administration console | Infrastructure service | TCP | 8284 | “Administration port”. Port on which the administration console connects to the infrastructure service. |
| Agent | Infrastructure service | TCP | 8286 | “Agent service port”. Port on which the agent connects to the infrastructure server. |
| Agent cache synchronization process | Infrastructure service | TCP | 8285 | “Cache synchronization port”. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. |
| Infrastructure service | Citrix License Server | TCP | 27000 | “Citrix License Server port”. The port on which the Citrix License Server is listening and to which the infrastructure service then connects to validate licensing. |
| Infrastructure service | Citrix License Server | TCP | 7279 | The port used by the dedicated Citrix component (daemon) in the Citrix License Server to validate licensing. |
| Monitoring service | Infrastructure service | TCP | 8287 | “WEM monitoring port”. Listening port on the infrastructure server used by the monitoring service. (Not yet implemented.) |
XenServer
| Source | Destination | Type | Port | Details |
|---|---|---|---|---|
| XenServer | XenServer | TCP | 443 | Intra-host communication between members of a Resource Pool using XenAPI |
| NTP Service | TCP/UDP | 123 | Time Synchronization | |
| DNS Service Domain Controller |
TCP/UDP TCP |
53 389 |
DNS User authentication when using Active Directory integration (LDAP) |
|
| TCP | 636 | LDAP over SSL(LDAPS) | ||
| FileServer | TCP/UDP TCP/UDP |
139 445 |
ISOStore:NetBIOSSessionService ISOStore:Microsoft-DS |
|
| SAN Controller | TCP | 3260 | iSCSI Storage | |
| NAS Head/ File Server | TCP | 2049 | NFS Storage | |
| Storage Link Gateway | TCP | 21605 | Only XenServer 5.6 and earlier: SOAP over HTTP integrated Storage Link traffic | |
| Citrix License Server | TCP | 27000 | Handles initial point of contact for license requests | |
| TCP | 7279 | Check-in/check-out of Citrix licenses | ||
| Clustering | TCP | 8892 21064 |
Communication between all pool members in a clustered pool. | |
| UDP | 5404 5405 |
|||
| Admin Workstation (XenCenter) | XenServer | TCP | 22 | SSH |
| TCP | 443 | Management using XenAPI | ||
| Virtual Machine | TCP | 5900 | VNC for Linux Guests | |
| TCP | 3389 | RDP for WindowsGuests |
Note: If FQDN is used instead of IP as resource, then make sure it is resolvable.
Citrix App Layering
Citrix Documentation – Firewall ports
Additional Resources
The assignments are listed by the Internet Assigned Numbers Authority (IANA), updated regularly, and revised when new information is available and new assignments are made. The specific location of the port numbers list is available at the following web site: Service Name and Transport Protocol Port Number Registry.
Want to learn more on Citrix Automations and solutions???
Subscribe to get our latest content by email.