The infrastructure of Citrix Virtual Apps and Desktops (formerly known as XenDesktop and/or XenApp) exists of several components. Also Citrix Virtual Apps and Desktops need to communicate with other components within the total IT infrastructure. In this article I will go through the several components and their communication ports with other components.
General
First of all Citrix have a pretty decent overview of ports in use in Knowledgebase article CTX101810. However the overview can be a bit overwhelmed and is lacking some details information about the exact protocol which is going over the port. I stumbled across this in one of project I have done lately and share my experiences in this article. The ports mentioned in this article are being actually used.
A second general remark is that Citrix Virtual Apps and Desktops (CVAD) relies heavy on Active Directory. Most components are part of an Active Directory and require communication with the Domain Controllers. This part is not specified in this article, but should be in place (which will be otherwise the component cannot be part of the Active Directory domain).
Let’s start with the Delivery Controller Communication Ports. I use the source for each component as leading to keep the document most readable.
Delivery Controller
The Delivery Controller is the heart of the CVAD infrastructure, so logically many communication streams are started from and to the delivery controller.
First of all the Delivery Controller(s) communicate with each other on port 80. If those are separate VLANs this port should be allowed.
The same port is being used for communication with the Virtual Desktop Agent paragraph as well. If the firewall is also filtering on the type of traffic, you need to define SOAP for those two streams (instead of web traffic).
The Delivery Controller also has communication traffic with the SQL server(s). The default SQL ports are 1433 and 1434, however the SQL administrator can provide different ports especially in Cluster configurations.
When using Machine Creation Service it is a requirement, in other scenarios it is optional (but handy for power management for example) that Delivery Controller can communicate with the Hypervisor. I have done this XenServer and vCenter. For XenServer the default port is 80 and can be 443 if you secure the XenServer traffic. The communication with vCenter is 443.
Last but not least the Delivery Controller communicates with the Citrix License Server. For the actual license assignments ports 27000 and 7279. If you have Studio running on the Delivery Controller (for the initial configuration for example also ports 8082 and 8083 are required.
|
Source |
Destination |
Ports |
|
Delivery Controllers |
Delivery Controllers |
TCP 80 (soap) |
|
Delivery Controllers |
Virtual Desktop Agent |
TCP 80 (soap) |
|
Delivery Controllers |
Hypervisor |
XenServer: |
|
Delivery Controllers |
Citrix License Server |
TCP 27000 |
|
Delivery Controllers (if Studio is running) |
Citrix License Server |
TCP 8082 |
Virtual Desktop Agent
The second component we are going to discuss is the Virtual Desktop Agent. The Virtual Desktop Agent communicates with the Delivery Controller op port 80. This is also soap traffic instead of default web traffic. Further the Citrix knowledgebase is mentioning that all components should communicate with the Citrix License Server on port 27000 and 7279. I’m not sure if this one is really needed.
When using Citrix FAS, the Virtual Desktop Agent is communication via port 80 according to the manual. This traffic is also SOAP.
|
Source |
Destination |
Ports |
|
Virtual Desktop Agent |
Delivery Controllers |
TCP 80 (soap) |
|
Virtual Desktop Agent |
Citrix License Server |
TCP 27000 TCP 7279 |
|
Virtual Desktop Agent |
Federated Authentication Service (FAS) |
TCP 80 (soap) |
Citrix StoreFront
Next component to discuss is Citrix StoreFront. StoreFront has one mandatory traffic flow and that is communication with the Delivery Controllers to determine which icons to show and to retrieve the information for creation of the ICA file. Just as with the VDAs this is not web traffic but SOAP traffic.
Secondly if you are using Citrix Federated Authentication Service (FAS) then StoreFront needs to communicate with those on port 80 (SOAP) as well.
|
Source |
Destination |
Ports |
|
StoreFront Servers |
Delivery Controllers |
TCP 80 (soap) |
|
StoreFront Servers |
Federated Authentication Service (FAS) |
TCP 80 (soap) |
Citrix Director
The communication paths for Citrix Director are sometimes overlooked. First of all Director communicates with the Delivery Controller for all real-time and historical data. Just as all Delivery Controller communication this is based on SOAP traffic on part 80. Secondly the overlooked part is the shadowing possibility out of Director. To make this possible the ports 135, 389 en 3389 needs to ben open to the VDAs.
|
Source |
Destination |
Ports |
|
Director Servers |
Delivery Controllers |
TCP 80 (soap) |
|
Director Servers |
Virtual Desktop Agents |
TCP 135 TCP 389 TCP 3389 |
Federated Authentication Service
A relative new component within the Citrix infrastructure. Federated Authentication Service (FAS) communicates with both other Citrix components as Microsoft components. However most communication is started from the other components. The only traffic started from the FAS is the flow to the Certificate Authority. By default the communication includes the use of the dynamic port range 49152 – 65535. Luckily this can configured on the Certificate Authority of a fixed port as described in the FAS CA Configuration article under the paragraph Configure the Microsoft CA for TCP access.
Assuming that the traffic to a Domain Controller is possible, otherwise port 389 to the Domain Controllers should be added as well.
|
Source |
Destination |
Ports |
|
Federated Authentication Service |
Certificate Authority |
TCP 135 TCP <<fixed port>> or 49152-65535 |
NetScaler Gateway
Probably the only component that is definitely in a range where Firewalls are available. As a NetScaler is using several IP addresses with different functionalities, it can be a struggle. In most cases the traffic from the NetScaler Gateway should be coming form the so-called Subnet IP Address (SNIP), however I have seen some circumstances the traffic flows over the NetScaler IP Address (NSIP). Logically there are also traffic flows to the NetScaler Gateway, but to keep the article in line, those are mentioned in other paragraphs of this article.
There is a traffic to the Delivery Controller for the STA ticket. Also StoreFront is being used for the application icons, ICA file and (optional Call Back).
Don’t forget about the authentication flows. Nowadays there a log of possibilities and to keep the article clean I’m not going into detail for each of them. If you know which one you want to use (LDAP, LDAPS, Radius, SAML), you will find the port via a simple search on the Internet.
|
Source |
Destination |
Ports |
|
NetScaler Gateway |
Delivery Controllers |
TCP 80 (soap) |
|
NetScaler Gateway |
StoreFront Servers |
TCP 443 (or 80 when StoreFront is not secured) |
|
NetScaler Gateway |
Virtual Desktop Agents |
TCP/UDP 194 TCP/UDP 2598 |
Admin Console
If the admin consoles are running on specific machines there are several communication flows to the components. Logically you need to check if the specific administrative tasks are executed on this machine(s). Think of communication out of Studio, to Citrix Director, NetScaler Gateway and so on.
|
Source |
Destination |
Ports |
|
Admin Console: Citrix Studio |
Delivery Controllers |
TCP 80 (soap) |
|
Admin Console: Citrix Studio |
License Servers |
TCP 27000 TCP 8082 |
|
Admin Console |
Director Servers |
TCP 443 |
|
Admin Console |
NetScaler Gateway VIP |
TCP 443 |
User Workspace
Not to forget are the ports required for the end user to actually use the CVAD infrastructure. Logically it depends how the user will be getting to the session. Basically there are two scenarios possible: via the NetScaler Gateway or directly via StoreFront. The first one is used for external access (but I see this being used more and more for internal access as well). The StoreFront scenario should only be used for internal access. Each scenario has his own communication flows.
|
Source |
Destination |
Ports |
|
User Workspace via NS Gateway (external or internal) |
NetScaler VIP |
TCP 443 |
|
Source |
Destination |
Ports |
|
User Workspace via StoreFront |
StoreFront Servers |
Port 443 (or 80 when StoreFront is not secured, really not advisable) |
|
User Workspace via StoreFront |
Virtual Desktop Agents |
TCP/UDP 194 TCP/UDP 2598 |
|
User Workspace via StoreFront (optional ICA/HDX audio) |
Virtual Desktop Agents |
UDP 16500-16509 |
|
User Workspace via StoreFront (optional Framehawk) |
Virtual Desktop Agents |
UDP 3224-3324 |
Other Components
Some of the above-mentioned components have communication flows set-up by other (non Citrix) components. Those are mentioned in the below table.
|
Source |
Destination |
Ports |
|
Certificate Authority |
FAS Servers |
TCP 135 TCP <<fixed port>> or 49152-65535 |
Summarization
In this article I discussed the different communication flows and corresponding ports within a Citrix Virtual Apps and Desktops (formerly known as XenDesktop/XenApp). In the case there components are separated by firewalls you have a full overview what should be opened on the Firewalls to have a fully function CVAD environment.