December 22, 2019

Firewall rules

Content available

|—-Citrix Virtual Apps and Desktops
|—-NetScaler / NetScaler Gateway / Citrix ADC
|—-NetScaler MAS / Citrix ADM
|—-Citrix PVS
|—-Citrix WEM
|—-Citrix FAS

|—-Skype for Business QoS
|—-Microsoft Teams QoS


  • 19.10.2021 – Reversed sorting for changelog
  • 25.09.2020 – Fieldnotes general – removed pagination and did some cleaning
  • 25.09.2020 – Registry hacks – added audio sandbox values for Edge and Chrome
  • 30.04.2020 – Powershell – Added: OneDrive for Business – Downloads and install latest stable OneDrive for Business – intended for VDI
  • 29.04.2020 – Powershell – Added: Microsoft Edge and Microsoft Teams – Downloads and install latest – intended for VDI
  • 24.04.2020 – Powershell – Added: OneDrive for Business – Scripts to deploy with intune to configure OneDrive for Business with Known Folder management silently
  • 10.04.2020 – Registry hacks – Added: Microsoft Edge Chromium – settings to remove prompts about opening Citrix receiver/workspace/ica files
  • 27.03.2020 – Registry hacks – Added: Windows – Privacy
  • 26.02.2020 – Registry hacks – Added: Microsoft Edge Chromium
  • 08.02.2020 – Caveats // Quicfix – Added: “Server 2019/Windows 10: No borders around windows/AllWhite issue”
  • 07.02.2020 – Moved Powershell scripts to GitHub
  • 15.01.2019 – Caveats // Quicfix – Added: “Google Chrome – No audio in ICA session after version 77”
  • 24.12.2019 – Fieldnotes – Initial release

|—-Citrix Virtual Apps and Desktops – Firewall rules


Admin workstation(s)Delivery ControllersTCP 80/443
TCP 3389
Storefront servers TCP 3389RDP
Citrix LicensingTCP 8082-8083
TCP 80
TCP 3389
Web-based administration GUI
Citrix DirectorTCP 3389RDP
Administrator machines
Help Desk machines
Citrix Director TCP 80
TCP 443
Web-based GUI
Delivery ControllersSQL serverTCP 1433
UDP 1434
Other static port
SQL database
Delivery ControllersVMware vCenterTCP 443vCenter
Delivery ControllersSCVMMTCP 8100SCVMM
Delivery ControllersCitrix LicensingTCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
All VDA machinesTCP 80Brokering
Storefront serversStorefront serversTCP 808 Subscription Replication
Delivery ControllersTCP 80
TCP 443
Secure Ticket Authority
Domain Controllers in Trusted DomainsTCP 88
TCP 135
TCP 445
TCP 389/636
TCP 49151-65535
All VDA machinesDelivery ControllersTCP 80Registration
Domain ControllersTCP 3268Registration
All Receivers (internal)Storefront/Storefront Load Balancer VIPTCP 80
TCP 443
Internal access to StoreFront
All VDA MachinesTCP 1494
TCP 2598
UDP 16500-16509
UDP 3224-3324 deprecated
Session Reliability
UDP Audio
Framehawk deprecated
All Receivers NetScaler Gateway VIPTCP 80
TCP 443
External (or internal) access to NetScaler Gateway
Citrix DirectorDelivery ControllersTCP 80
TCP 443
Administrator machines
Help Desk machines
All VDA MachinesTCP 135
TCP 3389
Remote Assistance

|—-NetScaler / NetScaler Gateway / Citrix ADC – Firewall rules


NetScaler ADCNetScaler  in cluster setupUDP 7000Cluster heart beat exchange
NetScaler Appliance (for High Availability)UDP 3003
TCP 3008
TCP 3009
TCP 3010
TCP 3011
UDP 162
TCP 22
Exchange of hello packets for communicating UP/DOWN status (heartbeat)
Secure High Availability configuration synchronization
For secure MEP.
Non-secure high availability configuration synchronization.
For non-secure MEP.
Traps from NetScaler to Command Center
Used by the rsync process during file synchronization in high availability setup
NetScaler Lights Out ManagementTCP 4001
TCP 5900
TCP 623
Daemon which offers complete and unified configuration management of all the routing protocols
Integrated Management InterfaceTCP/UDP 389LDAP
Thales HSMTCP 9004RFS and Thales HSM
NetScaler Insight Center/NetScaler MAS/ADMUDP 4739For AppFlow communication
NetScaler MAS /ADMSNMP 161,162SNMP Events
Syslog 514To receive syslog messages in NetScaler MAS
TCP 5557For logstream communication from NetScaler to NetScaler MAS.
Admin Worksatation(s) NetScaler ApplianceTCP 80/443
TCP 8443
TCP 22
HTTP(s) – GUI Administration
If HTML client is used, only 8443 port needs to be open between client >Command Center server.
SSH Access
Command Center ServerTCP 9091
TCP 9092
TCP 9094
For opening TCP communication between client and the server
Command Center ServerTCP 9091,9092Used to refresh, update, and query objects pertaining to Discovery (Maps/Devices, etc.)/Fault Management/Administration/
NetScaler GatewayLDAP Server (domain controller)TCP 636
TCP 3268
TCP 3269
TCP 389
LDAP SSL connection
LDAP connection to Global Catalog
LDAP connection to Global Catalog over SSL
LDAP plain text
DNS ServersTCP 53
UDP 53
Communication with the DNS server
Radius ServerTCP 80
TCP 8080
TCP 443
XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. 
Radius ServerTCP 1813
UDP 1813
TCP 1812
UDP 1812
RADIUS Accounting
RADIUS Connection
All VDA machinesTCP 2598
UDP 2598
Session reliability and EDT
EDT protocol requires 2598 to be open for UDP
All VDA machinesTCP 1494
Access to applications
EDT protocol requires 1494 to be open for UDP
All VDA machinesTCP 443Access to applications via ICA/HDX over SSL
All VDA machinesTCP 8008Access to applications and virtual desktops by ICA/HDX from HTML5 Receiver
All VDA machinesIP 50 IPSec Encapsulating Security Protocol (ESP) traffic
STA servers (DDCs)TCP 80
TCP 8080
TCP 443
Secure Ticketing Authority
Storefront serversTCP 443Callback URL to reach NetScaler Gateway virtual server from StoreFront
Admin Worksatation(s)NetScaler GatewayTCP 80/443
TCP 22
HTTP(s) – GUI Administration
If HTML client is used, only 8443 port needs to be open between client >Command Center server.
SSH Access

|—-NetScaler MAS / Citrix ADM – Firewall rules


NetScaler MAS
ADM Floating IP
ADM Agent
TCP 22
TCP 80
TCP 443
Discovery and configuration of NetScaler devices
MAS / ADM (Primary, Secondary) NSIPsUDP 161SNMP
NSIPsNetScaler MAS
ADM Floating IP
ADM Agent
UDP 4739AppFlow
NetScaler MAS
ADM Floating IP
ADM Agent
UDP 161
UDP 162
SNMP Traps
NetScaler MAS
ADM Floating IP
ADM Agent
UDP 514Syslog
NetScaler MAS
ADM Floating IP
ADM Agent
TCP 5557Logstream (ULFD)
NetScaler MAS
ADM Floating IP
ADM Agent
TCP 27000
TCP 7279
Pooled Licensing
Administratir Worksation(s)NetScaler MAS
ADM Floating IP
ADM Agent
TCP 22
TCP 80
TCP 443
Web-based GUI
Director ServersNetScaler MAS
ADM Floating IP
TCP 80
TCP 443
Insight Integration with Director
NetScaler MAS / ADMLDAP(S)
TCP 389
TCP 639
LDAP(s) authentication
Mail ServerTCP 25Email alerts
NTP ServerUDP 123NTP
Syslog Server UDP 514Syslog
NetScaler MASNetScaler or NetScaler SD-WAN instanceTCP 80
TCP 443
For NITRO communication
NetScaler or NetScaler SD-WAN instanceTCP 22For SSH communication
NetScaler MASNetScaler MASTCP 22 For synchronization between NetScaler MAS servers deployed in high availability mode.
NetScaler MASTCP 5454Default port for communication, and database synchronization in between NetScaler MAS nodes in high availability mode.
NetScaler MASNetScaler
NetScaler SD-WAN
NetScaler MAS
Ping/ICMPTo detect network reachability between NetScaler MAS and NetScaler instances, SD-WAN instances, or the secondary NetScaler MAS server deployed in high availability mode.
NetScaler MASRADIUS external authentication serverRADIUS 1812 Default port for authentication protocol. For communication between NetScaler MAS and RADIUS external authentication server.
TACACS external authentication serverTACACS 49Default port for authentication protocol. For communication between NetScaler MAS and TACACS external authentication server.

|—-Citrix PVS – Firewall rules


PVS server(s)SQL serverTCP 1433
UDP 1434
(or other custom port)
SQL database for PVS
PVS server(s)PVS server(s)SMBCopy image files between mulitple PVS servers
PVS server(s)UDP 6890-6909Server-server communication
PVS server(s)Citrix Licensing serverTCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
PVS server(s)Domain controllersTCP 389 Communication with Active Directory
PVS server(s)Delivery Controllers (DDC’s)TCP 80
TCP 443
Wizard to create machines from PVS console
PVS server(s)VMware vCenterTCP 443 Wizard to create machines from PVS console
PVS server(s)Target devicesUDP 6901
UDP 6902
UDP 6905
Target devices power actions from PVS
Admin workstations PVS server(s)TCP 3389
TCP 54321
TCP 54322
TCP 54323
Delivery Controllers (DDC’s) PVS server(s) TCP 54321
TCP 54322
TCP 54323
Adding machines to catalog on DDC
Target devicesDHCP Server(s)UDP 67DHCP leasing
Target devicesKMS hostTCP 1688KMS based licensing
Target devicesPVS server(s)UDP 69
UDP 67/4011
UDP 6910-6969
Streaming (expanded port range)
PVS server(s)UDP 6969
UDP 2071
Two-stage boot (BDM)
PVS server(s)TCP 54321
TCP 54322
TCP 54323
Imaging Wizard to SOAP Service

|—-Citrix WEM – Firewall rules


Infrastructure serviceAgent host (VDA)TCP 49752Listening port on the agent host.
Citrix Licensing ServerTCP 27000
TCP 7279
Citrix Licensing
SQL ServerTCP 1433 To connect to WEM Database
Admin ConsoleInfrastructure serviceTCP 8284Port on which the administration console connects to the infrastructure service.
AgentInfrastructure serviceTCP 8286Port on which the agent connects to the infrastructure server.
Agent Cache Sunchronization ProcessInfrastructure serviceTCP 8285Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. 
Monitoring ServiceInfrastructure serviceTCP 8287Listening port on the infrastructure server used by the monitoring service. (Not yet implemented.)

|—-Citrix FAS – Firewall rules


FromTo Protocol/portDescription
Storefront FAS Server(s)TCP 80 To send identity assertion of the user.
FAS server(s)Microsoft Certificate AuthorityTCP 135 Certificate Request.
Domain ControllerTCP/UDP 135 Validate the user account before creating a certificate request
Microsoft Certificate AuthorityFAS Server(s)TCP 135 Issue certificate to the certificate request from FAS Server.
VDAFAS Server(s)TCP 80 Fetch the user certificate from the FAS Server.
Domain ControllerTCP/UDP 389 Authentication of user during application or desktop launch

|—-Skype for Business QoS


Application nameFromToProtocol/PortDSCP ValueDescription
lync.exeanyanyTCP+UDP 5350-539046SkypeAudio_QOS
anyany TCP+UDP 5350-539034SkypeVideo_QOS

|—-Microsoft Teams QoS


Application NameFromTo Protocol/Port DSCP Value Description
teams.exeanyanyTCP+UDP 50000-5001946 Expedited Forwarding (EF)TeamsAudio_QOS
anyanyTCP+UDP 50020-5003934 Assured Forwarding (AF41)TeamsVideo_QOS
anyanyTCP+UDP 50040-5005918 Assured Forwarding (AF41)TeamsApplication/ScreenShareing_QoS

Do you find this useful?

Let us know by leaving a comment and following us on Twitter

Also consider subscribing to this website so you get notification on new posts arrive.
You can subscribe with the subscribe button in the menu on the right side, or you can use this button:

If you wish to share the content to others, feel free to use the buttons below for your simplicity.

Best regards
Explore Yubico