December 22, 2019

Firewall rules

Content available

Citrix
|—-Citrix Virtual Apps and Desktops
|—-NetScaler / NetScaler Gateway / Citrix ADC
|—-NetScaler MAS / Citrix ADM
|—-Citrix PVS
|—-Citrix WEM
|—-Citrix FAS

Microsoft
|—-Skype for Business QoS
|—-Microsoft Teams QoS

Changelog

  • 24.12.2019 – Fieldnotes – Initial release
  • 15.01.2019 – Caveats // Quicfix – Added: “Google Chrome – No audio in ICA session after version 77”
  • 07.02.2020 – Moved Powershell scripts to GitHub
  • 08.02.2020 – Caveats // Quicfix – Added: “Server 2019/Windows 10: No borders around windows/AllWhite issue”
  • 26.02.2020 – Registry hacks – Added: Microsoft Edge Chromium
  • 27.03.2020 – Registry hacks – Added: Windows – Privacy
  • 10.04.2020 – Registry hacks – Added: Microsoft Edge Chromium – settings to remove prompts about opening Citrix receiver/workspace/ica files
  • 24.04.2020 – Powershell – Added: OneDrive for Business – Scripts to deploy with intune to configure OneDrive for Business with Known Folder management silently
  • 29.04.2020 – Powershell – Added: Microsoft Edge and Microsoft Teams – Downloads and install latest – intended for VDI
  • 30.04.2020 – Powershell – Added: OneDrive for Business – Downloads and install latest stable OneDrive for Business – intended for VDI
  • 25.09.2020 – Registry hacks – added audio sandbox values for Edge and Chrome
  • 25.09.2020 – Fieldnotes general – removed pagination and did some cleaning,

|—-Citrix Virtual Apps and Desktops – Firewall rules

Source(s).:
https://support.citrix.com/article/CTX101810#XenDesktop_XenApp
https://www.carlstalhood.com/netscaler-firewall-rules/

FromToProtocol/portDescription
Admin workstation(s)Delivery ControllersTCP 80/443
TCP 3389
PowerShell
RDP
Storefront servers TCP 3389 RDP
Citrix LicensingTCP 8082-8083
TCP 80
TCP 3389
Web-based administration GUI
RDP
Citrix DirectorTCP 3389RDP
Administrator machines
Help Desk machines
Citrix Director TCP 80
TCP 443
Web-based GUI
Delivery Controllers SQL serverTCP 1433
UDP 1434
Other static port
SQL database
Delivery Controllers VMware vCenterTCP 443vCenter
Delivery Controllers SCVMMTCP 8100 SCVMM
Delivery Controllers Citrix LicensingTCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
All VDA machinesTCP 80Brokering
Storefront serversStorefront servers TCP 808 Subscription Replication
Delivery ControllersTCP 80
TCP 443
XML
Secure Ticket Authority
Domain Controllers in Trusted Domains TCP 88
TCP 135
TCP 445
TCP 389/636
TCP 49151-65535
RPC
Discussions
All VDA machinesDelivery Controllers TCP 80Registration
Domain ControllersTCP 3268 Registration
All Receivers (internal)Storefront/Storefront Load Balancer VIPTCP 80
TCP 443
Internal access to StoreFront
All VDA MachinesTCP 1494
TCP 2598
UDP 16500-16509
UDP 3224-3324 deprecated
ICA/HDX
Session Reliability
UDP Audio
Framehawk deprecated
All Receivers NetScaler Gateway VIPTCP 80
TCP 443
External (or internal) access to NetScaler Gateway
Citrix Director Delivery Controllers TCP 80
TCP 443
Director
Administrator machines
Help Desk machines
All VDA MachinesTCP 135
TCP 3389
Remote Assistance

|—-NetScaler / NetScaler Gateway / Citrix ADC – Firewall rules

Source(s).:
https://support.citrix.com/article/CTX101810#NetScaler
https://www.carlstalhood.com/netscaler-firewall-rules/

FromToProtocol/portDescription
NetScaler ADCNetScaler  in cluster setupUDP 7000Cluster heart beat exchange
NetScaler Appliance (for High Availability)UDP 3003
TCP 3008
TCP 3009
TCP 3010
TCP 3011
UDP 162
TCP 22
Exchange of hello packets for communicating UP/DOWN status (heartbeat)
Secure High Availability configuration synchronization
For secure MEP.
Non-secure high availability configuration synchronization.
For non-secure MEP.
Traps from NetScaler to Command Center
Used by the rsync process during file synchronization in high availability setup
DNS ServerTCP/UDP 53DNS
NetScaler Lights Out Management TCP 4001
TCP 5900
TCP 623
Daemon which offers complete and unified configuration management of all the routing protocols
Integrated Management InterfaceTCP/UDP 389LDAP
Thales HSMTCP 9004RFS and Thales HSM
NetScaler Insight Center/NetScaler MAS/ADMUDP 4739For AppFlow communication
NetScaler MAS /ADMSNMP 161,162SNMP Events
Syslog 514To receive syslog messages in NetScaler MAS
TCP 5557For logstream communication from NetScaler to NetScaler MAS.
Admin Worksatation(s) NetScaler ApplianceTCP 80/443
TCP 8443
TCP 22
HTTP(s) – GUI Administration
If HTML client is used, only 8443 port needs to be open between client >Command Center server.
SSH Access
Command Center ServerTCP 9091
TCP 9092
TCP 9094
For opening TCP communication between client and the server
Command Center Server TCP 9091,9092Used to refresh, update, and query objects pertaining to Discovery (Maps/Devices, etc.)/Fault Management/Administration/
NetScaler GatewayLDAP Server (domain controller)TCP 636
TCP 3268
TCP 3269
TCP 389
LDAP SSL connection
LDAP connection to Global Catalog
LDAP connection to Global Catalog over SSL
LDAP plain text
DNS ServersTCP 53
UDP 53
Communication with the DNS server
Radius ServerTCP 80
TCP 8080
TCP 443
XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. 
Radius Server TCP 1813
UDP 1813
TCP 1812
UDP 1812
RADIUS Accounting
RADIUS Connection
All VDA machinesTCP 2598
UDP 2598
Session reliability and EDT
EDT protocol requires 2598 to be open for UDP
All VDA machines TCP 1494
UDP1494
Access to applications
EDT protocol requires 1494 to be open for UDP
All VDA machines TCP 443Access to applications via ICA/HDX over SSL
All VDA machines TCP 8008Access to applications and virtual desktops by ICA/HDX from HTML5 Receiver
All VDA machines IP 50 IPSec Encapsulating Security Protocol (ESP) traffic
STA servers (DDCs)TCP 80
TCP 8080
TCP 443
Secure Ticketing Authority
Storefront serversTCP 443Callback URL to reach NetScaler Gateway virtual server from StoreFront
Admin Worksatation(s) NetScaler GatewayTCP 80/443
TCP8443
TCP 22
HTTP(s) – GUI Administration
If HTML client is used, only 8443 port needs to be open between client >Command Center server.
SSH Access

|—-NetScaler MAS / Citrix ADM – Firewall rules

Source(s).:
https://support.citrix.com/article/CTX101810#NetScaler_MAS
https://www.carlstalhood.com/netscaler-firewall-rules/

FromToProtocol/PortDescription
NetScaler MAS
ADM Floating IP
ADM Agent
NSIPs Ping/ICMP
TCP 22
TCP 80
TCP 443
Discovery and configuration of NetScaler devices
MAS / ADM (Primary, Secondary) NSIPs UDP 161 SNMP
NSIPs NetScaler MAS
ADM Floating IP
ADM Agent
UDP 4739 AppFlow
NetScaler MAS
ADM Floating IP
ADM Agent
UDP 161
UDP 162
SNMP Traps
NetScaler MAS
ADM Floating IP
ADM Agent
UDP 514Syslog
NSIPs
SNIP
NetScaler MAS
ADM Floating IP
ADM Agent
TCP 5557Logstream (ULFD)
CPX NSIPs
VPX NSIPs
NetScaler MAS
ADM Floating IP
ADM Agent
TCP 27000
TCP 7279
Pooled Licensing
Administratir Worksation(s)NetScaler MAS
ADM Floating IP
ADM Agent
TCP 22
TCP 80
TCP 443
Web-based GUI
Director ServersNetScaler MAS
ADM Floating IP
TCP 80
TCP 443
Insight Integration with Director
NetScaler MAS / ADM LDAP(S)
LDAP(S) VIP
TCP 389
TCP 639
LDAP(s) authentication
Mail Server TCP 25Email alerts
NTP ServerUDP 123NTP
Syslog Server UDP 514Syslog
NetScaler MASNetScaler or NetScaler SD-WAN instanceTCP 80
TCP 443
For NITRO communication
NetScaler or NetScaler SD-WAN instance TCP 22For SSH communication
NetScaler MAS NetScaler MAS TCP 22 For synchronization between NetScaler MAS servers deployed in high availability mode.
NetScaler MAS TCP 5454Default port for communication, and database synchronization in between NetScaler MAS nodes in high availability mode.
NetScaler MAS NetScaler
NetScaler SD-WAN
NetScaler MAS
Ping/ICMPTo detect network reachability between NetScaler MAS and NetScaler instances, SD-WAN instances, or the secondary NetScaler MAS server deployed in high availability mode.
NetScaler MASRADIUS external authentication serverRADIUS 1812 Default port for authentication protocol. For communication between NetScaler MAS and RADIUS external authentication server.
TACACS external authentication serverTACACS 49Default port for authentication protocol. For communication between NetScaler MAS and TACACS external authentication server.

|—-Citrix PVS – Firewall rules

Source(s).:
https://support.citrix.com/article/CTX101810#Provisioning%20Services
https://www.carlstalhood.com/netscaler-firewall-rules/

FromToProtocol/portDescription
PVS server(s)SQL serverTCP 1433
UDP 1434
(or other custom port)
SQL database for PVS
PVS server(s) PVS server(s) SMBCopy image files between mulitple PVS servers
PVS server(s) UDP 6890-6909Server-server communication
PVS server(s) Citrix Licensing serverTCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
PVS server(s) Domain controllersTCP 389 Communication with Active Directory
PVS server(s) Delivery Controllers (DDC’s)TCP 80
TCP 443
Wizard to create machines from PVS console
PVS server(s) VMware vCenterTCP 443 Wizard to create machines from PVS console
PVS server(s) Target devicesUDP 6901
UDP 6902
UDP 6905
Target devices power actions from PVS
Admin workstations PVS server(s) TCP 3389
TCP 54321
TCP 54322
TCP 54323
RDP
SOAP
Delivery Controllers (DDC’s) PVS server(s) TCP 54321
TCP 54322
TCP 54323
Adding machines to catalog on DDC
Target devices DHCP Server(s)UDP 67DHCP leasing
Target devices KMS hostTCP 1688KMS based licensing
Target devices PVS server(s) UDP 69
UDP 67/4011
UDP 6910-6969
TFTP
PXE
Streaming (expanded port range)
PVS server(s) UDP 6969
UDP 2071
Two-stage boot (BDM)
PVS server(s) TCP 54321
TCP 54322
TCP 54323
Imaging Wizard to SOAP Service

|—-Citrix WEM – Firewall rules

Source(s).:
https://support.citrix.com/article/CTX101810#WorkspaceEnvironmentManagement

FromToProtocol/PortDescription
Infrastructure serviceAgent host (VDA)TCP 49752Listening port on the agent host.
Citrix Licensing ServerTCP 27000
TCP 7279
Citrix Licensing
SQL ServerTCP 1433 To connect to WEM Database
Admin ConsoleInfrastructure service TCP 8284Port on which the administration console connects to the infrastructure service.
AgentInfrastructure service TCP 8286Port on which the agent connects to the infrastructure server.
Agent Cache Sunchronization ProcessInfrastructure service TCP 8285Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. 
Monitoring ServiceInfrastructure service TCP 8287Listening port on the infrastructure server used by the monitoring service. (Not yet implemented.)

|—-Citrix FAS – Firewall rules

Source(s).:
https://support.citrix.com/article/CTX101810#Federated%20Authentication%20Services

From To Protocol/port Description
Storefront FAS Server(s) TCP 80 To send identity assertion of the user.
FAS server(s)Microsoft Certificate Authority TCP 135 Certificate Request.
Domain ControllerTCP/UDP 135 Validate the user account before creating a certificate request
Microsoft Certificate AuthorityFAS Server(s)TCP 135 Issue certificate to the certificate request from FAS Server.
VDAFAS Server(s)TCP 80 Fetch the user certificate from the FAS Server.
Domain ControllerTCP/UDP 389 Authentication of user during application or desktop launch

|—-Skype for Business QoS

Source:
https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/optimizing-your-network

Application nameFromToProtocol/PortDSCP ValueDescription
lync.exeanyanyTCP+UDP 5350-539046SkypeAudio_QOS
anyany TCP+UDP 5350-5390 34SkypeVideo_QOS

|—-Microsoft Teams QoS

Source:
https://docs.microsoft.com/en-us/microsoftteams/qos-in-teams

Application NameFromTo Protocol/Port DSCP Value Description
teams.exeanyanyTCP+UDP 50000-5001946 Expedited Forwarding (EF) TeamsAudio_QOS
anyanyTCP+UDP 50020-5003934 Assured Forwarding (AF41)TeamsVideo_QOS
anyanyTCP+UDP 50040-5005918 Assured Forwarding (AF41) TeamsApplication/ScreenShareing_QoS



Do you find this useful?

Let us know by leaving a comment and following us on Twitter or Facebook.

Also consider subscribing to this website so you get notification on new posts arrive.
You can subscribe with the subscribe button in the menu on the right side, or you can use this button:

If you wish to share the content to others, feel free to use the buttons below for your simplicity.

Best regards

Dybbugt.no