Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Communication ports used by XenApp 6.5 (with the IMA Worker Mode enabled)

At one of my customers we were designing a XenApp 6.5 farm where XenApp server will be located in several data centers with firewall in between and where we will also use the IMA Worker Mode. It’s clear which ports are used for the communication between the client and server. Although Citrix provides the communication ports for server communications used for their products in a sheet, it’s not fully explained when those ports are used/required for which communication moment. So answering the question for the customer ended in setting-up a small environment and actually checking the port required for the communication (based on using the Windows Firewall). In this article I will share my experiences.

 

The theory




In article CTX101810 Citrix has written down all the port used by their products. In this document concerning communications between server two well-known ports are mentioned: port 2512 for the Independent Management Architecture and port 2513 for Citrix Management Console/WCF Services at the Common Citrix Communication Ports. If you zoom in to the specific product you will find port 2512 is mentioned again with the description Worker to Controller and Controller to Controller communication. Often you don’t have to worry about it, however in this case the customer the concept was to install Controller Hosts on one site and the other sites would only have Session Hosts (Worker Mode), while the console will be installed on a server without Citrix XenApp installed on it. Which ports are used? Via which ports is the information is collected to be shown in the AppCenter Console. Is the console directly communicating to the servers, or is this done via the server(s) added in the discovery process of the console configuration. I could not find the answers so setting-up a small environment to really test, was the easiest way and the results are………..

In practice

The set-up is pretty easy I installed a separate server with the Citrix Management Console, two Citrix XenApp Controller Hosts and one Citrix XenApp Session Host (Worker Mode) to check the communication ports.

I first started with the easiest one as I thought port 2513 for the management console. I expected that his port was required for communication between the server where the console is installed and the server(s) added in the discovery process. However when you check the standard firewall rules created by the XenApp installation port 2513 it is not available in any rule. To be 100% sure I created a rule both on inbound as outbound blocking port 2513. But even than it’s possible to see the expected information in the console, so port 2513 is not used (anymore). After that I needed to find out how the connection was set-up. By disable all Citrix firewall rules the console could not connect anymore, it’s reporting about issues with MFCom RPC, which is available as a firewall rule.

This Citrix MFCom (RPC) firewall is the only that is required to set-up a connection to the console and the XenApp Controller Host.

Unfortunate the ports used by the Citrix MFCom (RPC) are defined as RPC Dynamically Ports. I expect that it’s based on default Windows RPC, so you can use the possibility to define a range of RPC port as defined in KB article 154596. I did not find any useful information about it and at the customer the console and controller hosts where in the same VLAN. So I did not test this further, but feel free to share your experiences with me. To verify the finding I searched the latest version of the communication ports document and it’s indeed mentioned that a random port is used via MFCom Services at the part Admin Workstation. So my findings were correct and port 2513 is not used anymore.

Secondly we needed to find out how the” realtime” information is gathered from the other servers in the Console (think of processes, sessions and so on). My expectations about those were right. The server which is used by the console is communication over port 2512 with the other servers to collect the information. When you have added more servers in the discovery process of the console, only one server will be used to collect the data. So all server defined in the discovery process of the console need to have access on port 2512 to all other servers. Only the information is shown which can be collected by the server which is actually used by the server. To be 100% sure that only port 2512 is being use, I disabled all other available Citrix Firewall rules.

With only port 2512 as available port the information is indeed shown within the console. As soon as port 2512 is also block, the information is not available anymore. I also tested if the inbound 2512 is needed on the XenApp Controller Host used by the console. It looks like the initial connection both inbound as outbound is required on the Controller Host, however disable the inbound later on does not affect the shown information.

Conclusion

Summarized the way the console is contacting the Controller Host is not done via port 2513 anymore, but based on MFCom RPC. By default this is using a dynamic RPC port range, while it’s not officially stated that this range can be configured to a small range or a fixed port (it is really based on Microsoft RPC as I expect). The console also communicates with the server configured in the discovery process. This server gathers the dynamic information of the other servers using IMA traffic on port 2512 only. Although you can configure more servers in the console, only one server will be used at the time. So it’s required that all servers can be reached on port 2512, otherwise only the servers which can be reached will show dynamic information in the console.