Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Citrix VAD Communication Ports

The infrastructure of Citrix Virtual Apps and Desktops (formerly known as XenDesktop and/or XenApp) exists of several components. Also Citrix Virtual Apps and Desktops need to communicate with other components within the total IT infrastructure. In this article I will go through the several components and their communication ports with other components.

General

First of all Citrix have a pretty decent overview of ports in use in Knowledgebase article CTX101810. However the overview can be a bit overwhelmed and is lacking some details information about the exact protocol which is going over the port. I stumbled across this in one of project I have done lately and share my experiences in this article. The ports mentioned in this article are being actually used.




A second general remark is that Citrix Virtual Apps and Desktops (CVAD) relies heavy on Active Directory. Most components are part of an Active Directory and require communication with the Domain Controllers. This part is not specified in this article, but should be in place (which will be otherwise the component cannot be part of the Active Directory domain).

Let’s start with the Delivery Controller Communication Ports. I use the source for each component as leading to keep the document most readable.

Delivery Controller

The Delivery Controller is the heart of the CVAD infrastructure, so logically many communication streams are started from and to the delivery controller.

First of all the Delivery Controller(s) communicate with each other on port 80. If those are separate VLANs this port should be allowed.

The same port is being used for communication with the Virtual Desktop Agent paragraph as well. If the firewall is also filtering on the type of traffic, you need to define SOAP for those two streams (instead of web traffic).

The Delivery Controller also has communication traffic with the SQL server(s). The default SQL ports are 1433 and 1434, however the SQL administrator can provide different ports especially in Cluster configurations.

When using Machine Creation Service it is a requirement, in other scenarios it is optional (but handy for power management for example) that Delivery Controller can communicate with the Hypervisor. I have done this XenServer and vCenter. For XenServer the default port is 80 and can be 443 if you secure the XenServer traffic. The communication with vCenter is 443.

Last but not least the Delivery Controller communicates with the Citrix License Server. For the actual license assignments ports 27000 and 7279. If you have Studio running on the Delivery Controller (for the initial configuration for example also ports 8082 and 8083 are required.

Source

Destination

Ports

Delivery Controllers

Delivery Controllers

TCP 80 (soap)

Delivery Controllers

Virtual Desktop Agent

TCP 80 (soap)

Delivery Controllers

Hypervisor

XenServer:
TCP 80/443
vCenter:
TCP 443

Delivery Controllers

Citrix License Server

TCP 27000
TCP 7279

Delivery Controllers (if Studio is running)

Citrix License Server

TCP 8082
TCP 8083

 

Virtual Desktop Agent

The second component we are going to discuss is the Virtual Desktop Agent. The Virtual Desktop Agent communicates with the Delivery Controller op port 80. This is also soap traffic instead of default web traffic. Further the Citrix knowledgebase is mentioning that all components should communicate with the Citrix License Server on port 27000 and 7279. I’m not sure if this one is really needed.

When using Citrix FAS, the Virtual Desktop Agent is communication via port 80 according to the manual. This traffic is also SOAP.

Source

Destination

Ports

Virtual Desktop Agent

Delivery Controllers

TCP 80 (soap)

Virtual Desktop Agent

Citrix License Server

TCP 27000

TCP 7279

Virtual Desktop Agent

Federated Authentication Service (FAS)

TCP 80 (soap)

 

Citrix StoreFront

Next component to discuss is Citrix StoreFront. StoreFront has one mandatory traffic flow and that is communication with the Delivery Controllers to determine which icons to show and to retrieve the information for creation of the ICA file. Just as with the VDAs this is not web traffic but SOAP traffic.

Secondly if you are using Citrix Federated Authentication Service (FAS) then StoreFront needs to communicate with those on port 80 (SOAP) as well.

Source

Destination

Ports

StoreFront Servers

Delivery Controllers

TCP 80 (soap)

StoreFront Servers

Federated Authentication Service (FAS)

TCP 80 (soap)

 

Citrix Director

The communication paths for Citrix Director are sometimes overlooked. First of all Director communicates with the Delivery Controller for all real-time and historical data. Just as all Delivery Controller communication this is based on SOAP traffic on part 80. Secondly the overlooked part is the shadowing possibility out of Director. To make this possible the ports 135, 389 en 3389 needs to ben open to the VDAs.

Source

Destination

Ports

Director Servers

Delivery Controllers

TCP 80 (soap)

Director Servers

Virtual Desktop Agents

TCP 135

TCP 389

TCP 3389

 

Federated Authentication Service

A relative new component within the Citrix infrastructure. Federated Authentication Service (FAS) communicates with both other Citrix components as Microsoft components. However most communication is started from the other components. The only traffic started from the FAS is the flow to the Certificate Authority. By default the communication includes the use of the dynamic port range 49152 – 65535. Luckily this can configured on the Certificate Authority of a fixed port as described in the FAS CA Configuration article under the paragraph Configure the Microsoft CA for TCP access.

Assuming that the traffic to a Domain Controller is possible, otherwise port 389 to the Domain Controllers should be added as well.

Source

Destination

Ports

Federated Authentication Service

Certificate Authority

TCP 135

TCP <<fixed port>> or 49152-65535

 

NetScaler Gateway

Probably the only component that is definitely in a range where Firewalls are available. As a NetScaler is using several IP addresses with different functionalities, it can be a struggle. In most cases the traffic from the NetScaler Gateway should be coming form the so-called Subnet IP Address (SNIP), however I have seen some circumstances the traffic flows over the NetScaler IP Address (NSIP). Logically there are also traffic flows to the NetScaler Gateway, but to keep the article in line, those are mentioned in other paragraphs of this article.

There is a traffic to the Delivery Controller for the STA ticket. Also StoreFront is being used for the application icons, ICA file and (optional Call Back).

Don’t forget about the authentication flows. Nowadays there a log of possibilities and to keep the article clean I’m not going into detail for each of them. If you know which one you want to use (LDAP, LDAPS, Radius, SAML), you will find the port via a simple search on the Internet.

Source

Destination

Ports

NetScaler Gateway
(SNIP, NSIP)

Delivery Controllers

TCP 80 (soap)

NetScaler Gateway

StoreFront Servers

TCP 443 (or 80 when StoreFront is not secured)

NetScaler Gateway

Virtual Desktop Agents

TCP/UDP 194

TCP/UDP 2598

 

Admin Console

If the admin consoles are running on specific machines there are several communication flows to the components. Logically you need to check if the specific administrative tasks are executed on this machine(s). Think of communication out of Studio, to Citrix Director, NetScaler Gateway and so on.

Source

Destination

Ports

Admin Console: Citrix Studio

Delivery Controllers

TCP 80 (soap)

Admin Console: Citrix Studio

License Servers

TCP 27000
TCP 7279

TCP 8082
TCP 8083

Admin Console

Director Servers

TCP 443

Admin Console

NetScaler Gateway VIP

TCP 443

 


User Workspace

Not to forget are the ports required for the end user to actually use the CVAD infrastructure. Logically it depends how the user will be getting to the session. Basically there are two scenarios possible: via the NetScaler Gateway or directly via StoreFront. The first one is used for external access (but I see this being used more and more for internal access as well). The StoreFront scenario should only be used for internal access. Each scenario has his own communication flows.

Source

Destination

Ports

User Workspace via NS Gateway (external or internal)

NetScaler VIP

TCP 443

 

Source

Destination

Ports

User Workspace via StoreFront

StoreFront Servers

Port 443 (or 80 when StoreFront is not secured, really not advisable)

User Workspace via StoreFront

Virtual Desktop Agents

TCP/UDP 194

TCP/UDP 2598

User Workspace via StoreFront (optional ICA/HDX audio)

Virtual Desktop Agents

UDP 16500-16509

User Workspace via StoreFront (optional Framehawk)

Virtual Desktop Agents

UDP 3224-3324

 


Other Components

Some of the above-mentioned components have communication flows set-up by other (non Citrix) components. Those are mentioned in the below table.

Source

Destination

Ports

Certificate Authority

FAS Servers

TCP 135

TCP <<fixed port>> or 49152-65535

 

Summarization

In this article I discussed the different communication flows and corresponding ports within a Citrix Virtual Apps and Desktops (formerly known as XenDesktop/XenApp). In the case there components are separated by firewalls you have a full overview what should be opened on the Firewalls to have a fully function CVAD environment.