Citrix
|—-Citrix Virtual Apps and Desktops – Firewall rules
Source(s).:
https://support.citrix.com/article/CTX101810#XenDesktop_XenApp
https://www.carlstalhood.com/netscaler-firewall-rules/
| From | To | Protocol/port | Description |
|---|---|---|---|
| Admin workstation(s) | Delivery Controllers | TCP 80/443 TCP 3389 | PowerShell RDP |
| Storefront servers | TCP 3389 | RDP | |
| Citrix Licensing | TCP 8082-8083 TCP 80 TCP 3389 | Web-based administration GUI RDP | |
| Citrix Director | TCP 3389 | RDP | |
| Administrator machines Help Desk machines | Citrix Director | TCP 80 TCP 443 | Web-based GUI |
| Delivery Controllers | SQL server | TCP 1433 UDP 1434 Other static port | SQL database |
| Delivery Controllers | VMware vCenter | TCP 443 | vCenter |
| Delivery Controllers | SCVMM | TCP 8100 | SCVMM |
| Delivery Controllers | Citrix Licensing | TCP 27000 TCP 7279 TCP 8082-8083 TCP 80 | Citrix Licensing |
| All VDA machines | TCP 80 | Brokering | |
| Storefront servers | Storefront servers | TCP 808 | Subscription Replication |
| Delivery Controllers | TCP 80 TCP 443 | XML Secure Ticket Authority | |
| Domain Controllers in Trusted Domains | TCP 88 TCP 135 TCP 445 TCP 389/636 TCP 49151-65535 | RPC Discussions | |
| All VDA machines | Delivery Controllers | TCP 80 | Registration |
| Domain Controllers | TCP 3268 | Registration | |
| All Receivers (internal) | Storefront/Storefront Load Balancer VIP | TCP 80 TCP 443 | Internal access to StoreFront |
| All VDA Machines | TCP 1494 TCP 2598 UDP 16500-16509 | ICA/HDX Session Reliability UDP Audio | |
| All Receivers | NetScaler Gateway VIP | TCP 80 TCP 443 | External (or internal) access to NetScaler Gateway |
| Citrix Director | Delivery Controllers | TCP 80 TCP 443 | |
| Director Administrator machines Help Desk machines | All VDA Machines | TCP 135 TCP 3389 | Remote Assistance |
|—-NetScaler / NetScaler Gateway / Citrix ADC – Firewall rules
Source(s).:
https://support.citrix.com/article/CTX101810#NetScaler
https://www.carlstalhood.com/netscaler-firewall-rules/
| From | To | Protocol/port | Description |
|---|---|---|---|
| NetScaler ADC | NetScaler in cluster setup | UDP 7000 | Cluster heart beat exchange |
| NetScaler Appliance (for High Availability) | UDP 3003 TCP 3008 TCP 3009 TCP 3010 TCP 3011 UDP 162 TCP 22 | Exchange of hello packets for communicating UP/DOWN status (heartbeat) Secure High Availability configuration synchronization For secure MEP. Non-secure high availability configuration synchronization. For non-secure MEP. Traps from NetScaler to Command Center Used by the rsync process during file synchronization in high availability setup | |
| DNS Server | TCP/UDP 53 | DNS | |
| NetScaler Lights Out Management | TCP 4001 TCP 5900 TCP 623 | Daemon which offers complete and unified configuration management of all the routing protocols | |
| Integrated Management Interface | TCP/UDP 389 | LDAP | |
| Thales HSM | TCP 9004 | RFS and Thales HSM | |
| NetScaler Insight Center/NetScaler MAS/ADM | UDP 4739 | For AppFlow communication | |
| NetScaler MAS /ADM | SNMP 161,162 | SNMP Events | |
| Syslog 514 | To receive syslog messages in NetScaler MAS | ||
| TCP 5557 | For logstream communication from NetScaler to NetScaler MAS. | ||
| Admin Worksatation(s) | NetScaler Appliance | TCP 80/443 TCP 8443 TCP 22 | HTTP(s) – GUI Administration If HTML client is used, only 8443 port needs to be open between client >Command Center server. SSH Access |
| Command Center Server | TCP 9091 TCP 9092 TCP 9094 | For opening TCP communication between client and the server | |
| Command Center Server | TCP 9091,9092 | Used to refresh, update, and query objects pertaining to Discovery (Maps/Devices, etc.)/Fault Management/Administration/ | |
| NetScaler Gateway | LDAP Server (domain controller) | TCP 636 TCP 3268 TCP 3269 TCP 389 | LDAP SSL connection LDAP connection to Global Catalog LDAP connection to Global Catalog over SSL LDAP plain text |
| DNS Servers | TCP 53 UDP 53 | Communication with the DNS server | |
| Radius Server | TCP 80 TCP 8080 TCP 443 | XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. | |
| Radius Server | TCP 1813 UDP 1813 TCP 1812 UDP 1812 | RADIUS Accounting RADIUS Connection | |
| All VDA machines | TCP 2598 UDP 2598 | Session reliability and EDT EDT protocol requires 2598 to be open for UDP | |
| All VDA machines | TCP 1494 UDP1494 | Access to applications EDT protocol requires 1494 to be open for UDP | |
| All VDA machines | TCP 443 | Access to applications via ICA/HDX over SSL | |
| All VDA machines | TCP 8008 | Access to applications and virtual desktops by ICA/HDX from HTML5 Receiver | |
| All VDA machines | IP 50 | IPSec Encapsulating Security Protocol (ESP) traffic | |
| STA servers (DDCs) | TCP 80 TCP 8080 TCP 443 | Secure Ticketing Authority | |
| Storefront servers | TCP 443 | Callback URL to reach NetScaler Gateway virtual server from StoreFront | |
| Admin Worksatation(s) | NetScaler Gateway | TCP 80/443 TCP8443 TCP 22 | HTTP(s) – GUI Administration If HTML client is used, only 8443 port needs to be open between client >Command Center server. SSH Access |
|—-NetScaler MAS / Citrix ADM – Firewall rules
Source(s).:
https://support.citrix.com/article/CTX101810#NetScaler_MAS
https://www.carlstalhood.com/netscaler-firewall-rules/
| From | To | Protocol/Port | Description |
|---|---|---|---|
| NetScaler MAS ADM Floating IP ADM Agent | NSIPs | Ping/ICMP TCP 22 TCP 80 TCP 443 | Discovery and configuration of NetScaler devices |
| MAS / ADM (Primary, Secondary) | NSIPs | UDP 161 | SNMP |
| NSIPs | NetScaler MAS ADM Floating IP ADM Agent | UDP 4739 | AppFlow |
| NetScaler MAS ADM Floating IP ADM Agent | UDP 161 UDP 162 | SNMP Traps | |
| NetScaler MAS ADM Floating IP ADM Agent | UDP 514 | Syslog | |
| NSIPs SNIP | NetScaler MAS ADM Floating IP ADM Agent | TCP 5557 | Logstream (ULFD) |
| CPX NSIPs VPX NSIPs | NetScaler MAS ADM Floating IP ADM Agent | TCP 27000 TCP 7279 | Pooled Licensing |
| Administratir Worksation(s) | NetScaler MAS ADM Floating IP ADM Agent | TCP 22 TCP 80 TCP 443 | Web-based GUI |
| Director Servers | NetScaler MAS ADM Floating IP | TCP 80 TCP 443 | Insight Integration with Director |
| NetScaler MAS / ADM | LDAP(S) LDAP(S) VIP | TCP 389 TCP 639 | LDAP(s) authentication |
| Mail Server | TCP 25 | Email alerts | |
| NTP Server | UDP 123 | NTP | |
| Syslog Server | UDP 514 | Syslog | |
| NetScaler MAS | NetScaler or NetScaler SD-WAN instance | TCP 80 TCP 443 | For NITRO communication |
| NetScaler or NetScaler SD-WAN instance | TCP 22 | For SSH communication | |
| NetScaler MAS | NetScaler MAS | TCP 22 | For synchronization between NetScaler MAS servers deployed in high availability mode. |
| NetScaler MAS | TCP 5454 | Default port for communication, and database synchronization in between NetScaler MAS nodes in high availability mode. | |
| NetScaler MAS | NetScaler NetScaler SD-WAN NetScaler MAS | Ping/ICMP | To detect network reachability between NetScaler MAS and NetScaler instances, SD-WAN instances, or the secondary NetScaler MAS server deployed in high availability mode. |
| NetScaler MAS | RADIUS external authentication server | RADIUS 1812 | Default port for authentication protocol. For communication between NetScaler MAS and RADIUS external authentication server. |
| TACACS external authentication server | TACACS 49 | Default port for authentication protocol. For communication between NetScaler MAS and TACACS external authentication server. |
|—-Citrix PVS – Firewall rules
Source(s).:
https://support.citrix.com/article/CTX101810#Provisioning%20Services
https://www.carlstalhood.com/netscaler-firewall-rules/
| From | To | Protocol/port | Description |
|---|---|---|---|
| PVS server(s) | SQL server | TCP 1433 UDP 1434 (or other custom port) | SQL database for PVS |
| PVS server(s) | PVS server(s) | SMB | Copy image files between mulitple PVS servers |
| PVS server(s) | UDP 6890-6909 | Server-server communication | |
| PVS server(s) | Citrix Licensing server | TCP 27000 TCP 7279 TCP 8082-8083 TCP 80 | Citrix Licensing |
| PVS server(s) | Domain controllers | TCP 389 | Communication with Active Directory |
| PVS server(s) | Delivery Controllers (DDC’s) | TCP 80 TCP 443 | Wizard to create machines from PVS console |
| PVS server(s) | VMware vCenter | TCP 443 | Wizard to create machines from PVS console |
| PVS server(s) | Target devices | UDP 6901 UDP 6902 UDP 6905 | Target devices power actions from PVS |
| Admin workstations | PVS server(s) | TCP 3389 TCP 54321 TCP 54322 TCP 54323 | RDP SOAP |
| Delivery Controllers (DDC’s) | PVS server(s) | TCP 54321 TCP 54322 TCP 54323 | Adding machines to catalog on DDC |
| Target devices | DHCP Server(s) | UDP 67 | DHCP leasing |
| Target devices | KMS host | TCP 1688 | KMS based licensing |
| Target devices | PVS server(s) | UDP 69 UDP 67/4011 UDP 6910-6969 | TFTP PXE Streaming (expanded port range) |
| PVS server(s) | UDP 6969 UDP 2071 | Two-stage boot (BDM) | |
| PVS server(s) | TCP 54321 TCP 54322 TCP 54323 | Imaging Wizard to SOAP Service |
|—-Citrix WEM – Firewall rules
Source(s).:
https://support.citrix.com/article/CTX101810#WorkspaceEnvironmentManagement
| From | To | Protocol/Port | Description |
|---|---|---|---|
| Infrastructure service | Agent host (VDA) | TCP 49752 | Listening port on the agent host. |
| Citrix Licensing Server | TCP 27000 TCP 7279 | Citrix Licensing | |
| SQL Server | TCP 1433 | To connect to WEM Database | |
| Admin Console | Infrastructure service | TCP 8284 | Port on which the administration console connects to the infrastructure service. |
| Agent | Infrastructure service | TCP 8286 | Port on which the agent connects to the infrastructure server. |
| Agent Cache Sunchronization Process | Infrastructure service | TCP 8285 | Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. |
| Monitoring Service | Infrastructure service | TCP 8287 | Listening port on the infrastructure server used by the monitoring service. (Not yet implemented.) |
|—-Citrix FAS – Firewall rules
Source(s).:
https://support.citrix.com/article/CTX101810#Federated%20Authentication%20Services
| From | To | Protocol/port | Description |
|---|---|---|---|
| Storefront | FAS Server(s) | TCP 80 | To send identity assertion of the user. |
| FAS server(s) | Microsoft Certificate Authority | TCP 135 | Certificate Request. |
| Domain Controller | TCP/UDP 135 | Validate the user account before creating a certificate request | |
| Microsoft Certificate Authority | FAS Server(s) | TCP 135 | Issue certificate to the certificate request from FAS Server. |
| VDA | FAS Server(s) | TCP 80 | Fetch the user certificate from the FAS Server. |
| Domain Controller | TCP/UDP 389 | Authentication of user during application or desktop launch |
Microsoft
|—-Skype for Business QoS
Source:
https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/optimizing-your-network
| Application name | From | To | Protocol/Port | DSCP Value | Description |
|---|---|---|---|---|---|
| lync.exe | any | any | TCP+UDP 5350-5390 | 46 | SkypeAudio_QOS |
| any | any | TCP+UDP 5350-5390 | 34 | SkypeVideo_QOS |
|—-Microsoft Teams QoS
Source:
https://docs.microsoft.com/en-us/microsoftteams/qos-in-teams
| Application Name | From | To | Protocol/Port | DSCP Value | Description |
|---|---|---|---|---|---|
| teams.exe | any | any | TCP+UDP 50000-50019 | 46 Expedited Forwarding (EF) | TeamsAudio_QOS |
| any | any | TCP+UDP 50020-50039 | 34 Assured Forwarding (AF41) | TeamsVideo_QOS | |
| any | any | TCP+UDP 50040-50059 | 18 Assured Forwarding (AF41) | TeamsApplication/ScreenShareing_QoS |
Do you find this useful?
Let us know by leaving a comment and following us on Twitter
Also consider subscribing to this website so you get notification on new posts arrive.
You can subscribe with the subscribe button in the menu on the right side, or you can use this button:
If you wish to share the content to others, feel free to use the buttons below for your simplicity.
Best regards
Dybbugt.no
