Tech Paper: Communication Ports Used by Citrix Technologies

This article provides an overview of common ports that are used by Citrix components and must be considered as part of networking architecture, especially if communication traffic traverses network components such as firewalls or proxy servers where ports must be opened to ensure communication flow.

Not all ports need to be open, depending on your deployment and requirements.

NetScaler SDX

Source	Destination	Type	Port	Details
Admin Workstation	NetScaler SDX lights out management	TCP	80, 443	HTTP or HTTPS - GUI Administration
	NetScaler SDX SVM	TCP	80, 443	HTTP or HTTPS - GUI and NITRO communication
		TCP	22	SSH/SCP Access
	NetScaler SDX Hypervisor	TCP	22	SSH/SCP Access
NetScaler SDX SVM	NetScaler instance	TCP	80, 443	HTTP or HTTPS - GUI and NITRO communication
		TCP	22	SSH/SCP Access
		ICMP		Using ICMP protocol to check instance availability
	NTP Server	UDP	123	Default NTP server port for synchronizing with multiple time sources
NetScaler NSIP	NetScaler SDX SVM	SNMP	161, 162	SNMP events/traps from ADC instances to SDX SVM
		ICMP		Using ICMP protocol to check instance availability

NetScaler

Source	Destination	Type	Port	Details
NetScaler NSIP	NetScaler Appliances in cluster setup	UDP	7000	Cluster heartbeat exchange
	NetScaler Appliance (for High Availability)	UDP	3003	Exchange of hello packets for communicating UP/DOWN status (heartbeat)
	NetScaler Appliance (for High Availability)	TCP	3008	synchroniza确保高可用性配置tion
	NetScaler Appliance (For Global Site Load Balancing)	TCP	3009	For secure MEP.
	NetScaler Appliance (for High Availability)	TCP	3010	Non-secure high availability configuration synchronization.
	NetScaler Appliance (For Global Site Load Balancing)	TCP	3011	For non-secure MEP.
	NetScaler ADM Appliance	UDP	162	Traps from ADC to NetScaler ADM Center
	NetScaler Appliance (for High Availability)	TCP	22	Used by the rsync process during file synchronization in high availability setup
	DNS Server	TCP, UDP	53	DNS name resolution
	NTP Server	UDP	123	Default NTP server port for synchronizing with multiple time sources
	Application Firewall signature URL	TCP	443	Hosted signature updates on AWS
	Bot Management signature URL	TCP	443	Hosted signature updates on AWS
	ADC lights out management	TCP	4001, 5900, 623	Daemon which offers complete and unified configuration management of all the routing protocols
	LDAP Server	TCP	636	LDAP SSL connection
		TCP	3268	LDAP connection to Global Catalog
		TCP	3269	LDAP connection to Global Catalog over SSL
		TCP	389	LDAP plaintext or TLS
	RADIUS Server	UDP	1813	RADIUS accounting
		UDP	1645, 1812	RADIUS connection
	Thales HSM	TCP	9004	RFS and Thales HSM
NetScaler NSIP	NetScaler ADM	UDP	4739	For AppFlow communication
		SNMP	161, 162	To send SNMP events/traps
		Syslog	514	To receive syslog messages in NetScaler ADM
NetScaler SNIP	NetScaler ADM	TCP	5563	对ADC指标(柜台),系统事件和澳元it Log messages from NetScaler to NetScaler ADM.
		TCP	5557, 5558	For logstream communication from NetScaler to NetScaler ADM.
Admin Workstation	NetScaler NSIP	TCP	80, 443	HTTP or HTTPS - GUI Administration
		TCP	22	SSH Access

Note:

Depending on the NetScaler configuration, network traffic can originate from SNIP, MIP, or NSIP interfaces. If you have configured NetScalers in High Availability mode, NetScaler ADM uses the NetScaler subnet IP (Management SNIP) address to communicate with NetScaler.

Link to application firewall signatures

Link to bot management signatures

NetScaler ADM

Source	Destination	Type	Port	Details
NetScaler ADM	NetScaler NSIP or Citrix SD-WAN instance	TCP	80, 443	For NITRO communication
		TCP	22	For SSH communication
		ICMP	No reserved port	To detect network reachability between NetScaler ADM and ADC instances, SD-WAN instances, or the secondary NetScaler ADM server deployed in high availability mode.
	NetScaler ADM	TCP	22	For synchronization between NetScaler ADM servers deployed in high availability mode.
		TCP	5454	Default port for communication, and database synchronization in between NetScaler ADM nodes in high availability mode.
	Users	TCP	25	To send SMTP notifications from NetScaler ADM to users.
	LDAP外部认证服务器	TCP	389, 636	Default port for authentication protocol. For communication between NetScaler ADM and LDAP external authentication server.
	NTP Server	UDP	123	Default NTP server port for synchronizing with multiple time sources.
	RADIUS external authentication server	RADIUS	1812	Default port for authentication protocol. For communication between NetScaler ADM and RADIUS external authentication server.
	TACACS external authentication server	TACACS	49	Default port for authentication protocol. For communication between NetScaler ADM and TACACS external authentication server.
NetScaler/CPX instance	NetScaler ADM license server/agent	TCP	27000	License port for communication between NetScaler ADM license server/agent and ADC/CPX instance.
		TCP	7279	Citrix vendor daemon port.
	Citirx ADM	UDP	5005
Port to exchange heartbeats between HA nodes.
	NetScaler SNIP	TCP	161	To send SNMP events
NetScaler NSIP	NetScaler ADM	UDP	162	To receive SNMP traps from NetScaler
		UDP	4739	To receive ADC analytics log data using IPFIX protocol
		UDP	514	To receive syslog messages from NetScaler ADM
NetScaler SNIP	NetScaler ADM	TCP	5563	To receive ADC metrics (counters), system events, and Audit Log messages from NetScaler instance to NetScaler ADM
		TCP	5557, 5558	For logstream communication (for Security Insight, Web Insight, and HDX Insight) from NetScaler
NetScaler ADM	NetScaler ADM Agent	TCP	443, 7443, 8443	Port for communication between NetScaler agent and NetScaler ADM

Note:

If you have configured NetScalers in High Availability mode, NetScaler ADM uses the NetScaler subnet IP (Management SNIP) address to communicate with NetScaler.

CTX124386 describes how to change the source, to communicate syslog messages to ADM, from the NSIP to the SNIP

Citrix Cloud

The only Citrix component needed to serve as a channel for communication between Citrix Cloud and your resource locations is a connector. This connector might be a Connector Appliance or a Cloud Connector depending on your use case. For more information on which connector you require, seeResource types.

Connector Appliance

Once installed, the Connector Appliance initiates communication with Citrix Cloud through an outbound connection. All connections are established from the Connector Appliance to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are allowed.

This is a list of ports that the Connector Appliance requires access to:

Service	Port	Supported Domain Protocol	Configuration details
DNS	53	TCP/UDP	This port must be open to the local setup
NTP	123	UDP	This port must be open to the local setup
HTTPS	443	TCP	Connector Appliance requires outbound access to this port

To configure the Connector Appliance, IT admins must be able to access the admin interface on port 443 (HTTPS) of the Connector Appliance.

Note:You must includehttps://at the start of the IP address.

Connector Appliance with Active Directory

Additional ports are required to use Active Directory with Connector Appliance. The Connector Appliance requires an outbound connection to the Active Directory domain via the following ports:

Service	Port	Supported Domain Protocol
Kerberos	88	TCP/UDP
End Point Mapper (DCE/RPC Locator Service)	135	TCP
NetBIOS Name Service	137	UDP
NetBIOS Datagram	138	UDP
NetBIOS Session	139	TCP
LDAP	389	TCP/UDP
SMB over TCP	445	TCP
Kerberos kpasswd	464	TCP/UDP
Global Catalog	3268	TCP
Dynamic RPC Ports	49152..65535	TCP

Cloud Connector

All connections are established from the Cloud Connector to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are accepted.

Cloud Connectors must be able to connect to Digicert for certificate revocation checks.

Source	Destination	Type	Port	Details
Cloud Connectors	http://*.digicert.com	HTTP	80	Periodic Certificate Revocation List checks
	https://*.digicert.com	HTTPS	443
	https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt	HTTPS	443
	https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt	HTTPS	443

To find the list of addresses that are common to most Citrix Cloud services and their function, refer toproduct documentation.

Citrix DaaS

Source	Destination	Type	Port	Details
Virtual Delivery Agent	Gateway Service	TCP, UDP	443	Rendezvous Protocol.
Cloud Connectors	Cloud Connectors	TCP	80	Communication between Delivery Controllers secured via WCF.
		TCP	89	Local Host Cache secured via WCF.
		TCP	9095	Orchestration service secured via WCF.
Cloud Connectors	XenServer Resource Pool Master	TCP	80, 443	Communication with XenServer infrastructure.
	Microsoft SCVMM Server	TCP	8100	Communication with Microsoft SCVMM/Hyper-V infrastructure.
	VMware vCenter Server	TCP	443	Communication with VMware vSphere infrastructure.
	Nutanix AHV	TCP	9440	Communication with Nutanix AHV infrastructure.
Cloud Connectors	Virtual Delivery Agent	TCP, UDP	1494	Access to applications and virtual desktops by ICA/HDX. EDT protocol requires 1494 to be open for UDP.
		TCP	80	Citrix VDA Registration with the Citrix Cloud Connector secured via WCF. Communication must be bi-directional.
		TCP, UDP	2598	Access to applications and virtual desktops by ICA/HDX with Session Reliability. EDT protocol requires 2598 to be open for UDP.
Cloud Connectors	WEM Agent	TCP	49752	“Agent port”. Listening port on the agent host that receives instructions from Cloud Connector secured via WCF.
Cloud Connectors	File Server	TCP	139,445	Access to VDI acting as File server CSV mount points.
Cloud Connectors	Citrix FAS Server	TCP	80	Send identity assertion of the user secured via WCF.
Citrix Provisioning Server Console	Cloud Connectors	HTTPS	443	Provisioning Server integration with Citrix Cloud Studio.
Citrix License Server	Citrix Cloud	HTTPS	443	Citrix License Server integration with Citrix Cloud.
Citrix FAS Server	Citrix Cloud	HTTPS	443	Connection betweeen Citrix FAS and Citrix Cloud.
Citrix DaaS Remote PowerShell SDK	Citrix Cloud	HTTPS	443	Any system running scripts based on the Citrix DaaS Remote PowerShell SDK.
Citrix Workspace App	Virtual Delivery Agent	TCP,UDP	1494	Access to applications and virtual desktops by ICA/HDX for Direct Workload Connection which bypasses Citrix Gateway Service for internal traffic.
		TCP,UDP	2598	Access to applications and virtual desktops by ICA/HDX with Session Reliability for Direct Workload Connection which bypasses Citrix Gateway Service for internal traffic.
WEM Agent	Cloud Connectors	TCP	8080	Port on which the on-premises agent connects to Cloud Connector. This port is available for outbound LAN (Local Area Network) connections. Messages over the port are secured with Windows Communication Foundation (WCF) message-level security.
	Citrix WEM Service	HTTPS	443	Port on which the on-premises agent connects to the WEM service in Citrix Cloud. This port is available for outbound internet connections.

Read more about Citrix License Server integrationhere.

Read more about Citrix Provisioning Server integrationhere.

Read more about the Citrix DaaS Remote PowerShell SDKhere

Citrix Gateway Service

By default, the Gateway Service will proxy HDX connections via the Citrix Cloud Connectors, however Rendezvous Protocol changes the flow of HDX connections in an attempt to directly connect the Virtual Delivery Agent to the Gateway Service bypassing the Citrix Cloud Connectors

Rendezvous Protocol and HDX Enlightened Data Transport Protocol (EDT)

Source	Destination	Type	Port	Details
Virtual Delivery Agent	Gateway Service	UDP	443	EDT UDP over 443 to Gateway Service

The Virtual Delivery Agents must have access tohttps://*.nssvc.net, including all subdomains. Orhttps://*.c.nssvc.netandhttps://*.g.nssvc.net.

Note:

If using EDT in Microsoft Azure, UDP must be defined on the Azure Network Security Group (NSG) protecting the Virtual Delivery Agent

Read more about Rendezvous Protocol and HDX Enlightened Data Transport Protocol (EDT) requirementshere.

Citrix Session Recording Service

Refer to the following link for Citrix Session Recording Service ports -Connectivity Requirements

Citrix Endpoint Management

Refer to the following link for Citrix Endpoint Management (XenMobile) Ports -Port Requirements.

Citrix Gateway

Source	Destination	Type	Port	Details
Citrix Gateway SNIP	LDAP Server (Load Balancing)	TCP	636	LDAPS SSL connection
		TCP	3268	LDAP connection to Global Catalog
		TCP	3269	LDAP connection to Global Catalog over SSL
		TCP	389	LDAP plaintext or TLS
	RADIUS Server (Load Balancing)	UDP	1813	RADIUS accounting
		UDP	1645, 1812	RADIUS connection
	Secure Ticketing Authority (STA)	TCP	80, 8080, 443	Secure Ticketing Authority (embedded into XML Service)
	Virtual Delivery Agent	TCP, UDP	1494	Access to applications and virtual desktops by ICA/HDX. EDT protocol requires 1494 to be open for UDP.
		TCP, UDP	2598	Access to applications and virtual desktops by ICA/HDX with Session Reliability. EDT protocol requires 2598 to be open for UDP.
		TCP, UDP	443	Access to applications and virtual desktops by ICA/HDX over TLS/DTLS.
		UDP	16500..16509	ICA/HDX audio over UDP Real-time Transport
	StoreFront	TCP	80, 443	Citrix Gateway communication with StoreFront
Citrix Gateway Plug-in	VPN/CVAD	UDP	3108, 3168, 3188	For VPN tunnel with secure ICA connections
		TCP, UDP	3148, 3149, 3159	For VPN tunnel with secure ICA connections
Admin Workstation	Citrix Gateway	TCP	80, 443	HTTPS - GUI Administration
		TCP	22	SSH Access
Citrix Gateway	DNS	TCP, UDP	53	Communication with the DNS server

For more information about required ports for Citrix Gateway in DMZ setup, refer toCTX113250.

Note:

All the above ports are not mandatory, depending on your own configuration.

XenServer

Source	Destination	Type	Port	Details
Citrix Hypervisor	Citrix Hypervisor	TCP	443	Intra-host communication between members of a resource pool using XenAPI
	NTP Service	TCP, UDP	123	Time Synchronization
	DNS Service Domain Controller	TCP, UDP TCP	53, 389	DNS User authentication when using Active Directory integration (LDAP)
		TCP	636	LDAP over SSL (LDAPS)
	FileServer	TCP, UDP	139	ISOStore:NetBIOSSessionService
		TCP, UDP	445	ISOStore:Microsoft-DS
	SAN Controller	TCP	3260	iSCSI Storage
	NAS Head/ File Server	TCP	2049	NFS Storage
	Syslog	TCP	514	Sends data to a central location for collation
	Clustering	TCP	8892年,21064年	所有的之间的交流pool members in a clustered pool.
		UDP	5404, 5405
Admin Workstation (XenCenter)	XenServer	TCP	22	SSH
		TCP	443	Management using XenAPI
	Virtual Machine	TCP	5900	VNC for Linux Guests
		TCP	3389	RDP for WindowsGuests

Read more about Citrix License Server requirementshere.

Note:

If FQDN is used instead of IP as resource, then make sure it is resolvable.

Citrix License Server

Source	Destination	Type	Port	Details
Any Citrix Component	Citrix License Server	TCP	27000	Handles initial point of contact for license requests
		TCP	7279	Check-in/check-out of Citrix licenses
Delivery Controller	Citrix License Server	TCP	8082	Web-based administration console (Lmadmin.exe)
		TCP	8083	Simple License Service port (required for CVAD)
Admin Workstation	Citrix License Server	TCP	8082	Web-based administration console (Lmadmin.exe)
		TCP	8083	Simple License Service port (required for CVAD)
		TCP	80	Licensing Config PowerShell Snap-in Service
Citrix License Server	https://cis.citrix.com	HTTPS	443	Citrix License automated license telemetry reporting

Citrix SD-WAN

Source	Destination	Type	Port	Details
SD-WAN Standard and Enterprise Edition	SD-WAN Standard and Enterprise Edition	UDP	4980	Static Virtual Path and Dynamic Virtual Path tunnels between SD-WAN SE/EE devices.
	SD-WAN Center	TCP	2156	Reporting communication between SD-WAN Center and SD-WAN SE/EE devices.
	Citrix Cloud Zero Touch Deployment Service	TCP	443	Authentication communication between SD-WAN devices and Citrix Cloud Services.
	RADIUS	TCP	1812	Default port for authentication protocol. For communication between SD-WAN SE/EE and RADIUS external authentication server.
	TACACS+	TACACS	49	Default port for authentication protocol. For communication between SD-WAN SE/EE and TACACS external authentication server.
	SNMP	UDP	161, 162	SNMP authentication and polling to SD-WAN SE/EE devices.
	NetFlow	UDP	2055	NetFlow polling to SD-WAN SE/EE devices.
	AppFlow (NetScaler ADM)	TCP	4739	For AppFlow communication between NetScaler ADM and SD-WAN SE/EE devices.
	API	TCP	80, 443	For NITRO API communication to SD-WAN SE/EE devices.
SD-WAN Center	Citrix Cloud Zero Touch Deployment Service	TCP	443	Authentication communication between SD-WAN devices and Citrix Cloud Services.
SD-WAN WANOP Edition	SD-WAN WANOP Edition	TCP	N/A	SD-WAN WO Edition transparently optimizes TCP traffic between two sites. The original source destination and port go unchanged throughout the segments of the network.
	API (NetScaler ADM)	TCP	80, 443	For NITRO API communication between NetScaler ADM and SD-WAN WANOP devices.
	SSH (NetScaler ADM)	TCP	22	For SSH communication between NetScaler ADM and SD-WAN WANOP devices.
	AppFlow (NetScaler ADM)	TCP	4739	For AppFlow communication between NetScaler ADM and SD-WAN WANOP devices.
	NetScaler ADM	ICMP	N/A	For network reachability between NetScaler ADM and SD-WAN WANOP devices.
	RADIUS	TCP	1812	Default port for authentication protocol. For communication between SD-WAN WO and RADIUS external authentication server.
	TACACS+	TACACS	49	Default port for authentication protocol. For communication between SD-WAN WO and TACACS external authentication server.
	SNMP	UDP	161, 162	SNMP authentication and polling to SD-WAN WO devices.
SD-WAN WANOP Edition (SSL Acceleration Enabled)	SD-WAN WANOP Edition (SSL Acceleration Enabled)	TCP	443	SD-WAN WO Edition secure peering feature encrypts traffic between SD-WAN peers.
Citrix Orchestrator On-Premises	9.9.9.9	UDP/TCP	53	DNS resolution of pertinent cloud service domains
	SD-WAN Standard and Enterprise Edition	TCP	443	Communication between Orchestrator On-Premises and SD-WAN SE/EE devices
	Citrix Cloud	TCP	443	Authentication communication with Citrix Cloud services
	SD-WAN Standard and Enterprise Edition	SSH	22	Communication between Orchestrator On-Premises and SD-WAN SE/EE devices

Citrix Virtual Apps and Desktops

Source	Destination	Type	Port	Details
Delivery Controller	XenServer Resource Pool Master	TCP	80, 443	Communication with XenServer infrastructure
	Microsoft SCVMM Server	TCP	8100	Communication with Hyper-V infrastructure
	VMware vCenter Server	TCP	443	Communication with vSphere infrastructure
	Nutanix AHV	TCP	9440	Communication with Nutanix AHV infrastructure
	Microsoft SQL Server	TCP	1433	Microsoft SQL Server
	Virtual Delivery Agent	TCP	80 (Bidirectional)	Delivery Controller initiates the connection when discovering local applications or for gathering information about local processes, performance data, and so on.
	Delivery Controller	TCP	80	Communication between Delivery Controllers
		TCP	89	Local Host Cache (This use of port 89 may change in future releases.)
		TCP	9095	Orchestration service
Director	Delivery Controller	TCP	80, 443	Communication with Citrix Delivery Controllers
Citrix Director and Admin Workstation	Virtual Delivery Agent	TCP	135,3389	Communication between Citrix Director and Virtual Delivery Agent for Remote Assistance
		TCP	389	LDAP Note: For the login step, Citrix Director does not contact the AD but does a local logon using the native Windows API - LoginUser (which might internally be contacting the AD).
Citrix Workspace app	StoreFront	TCP, UDP	80,443	Communication with StoreFront
	Virtual Delivery Agent	TCP, UDP	1494	Access to applications and virtual desktops by ICA/HDX for Direct Workload Connection which bypasses Citrix Gateway Service for internal traffic.
	Virtual Delivery Agent	TCP, UDP	2598	Access to applications and virtual desktops by ICA/HDX with Session Reliability for Direct Workload Connection which bypasses Citrix Gateway Service for internal traffic.
		UDP	16500..16509 (Bidirectional)	Port range for UDP ICA/HDX audio
Virtual Delivery Agent	Delivery Controller	TCP	80 (Bidirectional)	Used by process ‘WorkstationAgent.exe’ for communication with Delivery Controller.
Admin Workstation	Director Server	TCP	80, 443	Access to Citrix Director website
	Delivery Controller	TCP	80, 443	When using a locally installed Citrix Studio console or the SDK to directly access Delivery Controller.
	Virtual Delivery Agent	TCP, UDP	49152..65535	Dynamically allocated high-port when initiating a Remote Assistance session from a Windows machine to a Virtual Delivery Agent.
HdxVideo.js	Virtual Delivery Agent	TCP	9001	HTML5 video redirection andBrowser Content Redirectionsecure WebSocket service needed to redirect HTTPS websites. WebSocketService.exe - runs on the local system and performs SSL termination and user session mapping. TLS Secure WebSocket listening on 127.0.0.1 port 9001.

Read more about Citrix License Server requirementshere.

Citrix App Layering

Refer to the following link for Citrix App Layering ports -Firewall Ports.

Federated Authentication Service

Source	Destination	Type	Port	Details
StoreFront	FAS Server	TCP	80	To send identity assertion of the user.
FAS Server	Microsoft Certificate Authority	DCOM	135	By default the Microsoft CA uses DCOM for access. This can result in complexities when implementing firewall security, so Microsoft has a provision to switch to a static TCP port. SeeConfigure MS CA DCOMfor more information.
Virtual Delivery Agent	FAS Server	TCP	80	Fetch the user certificate from the FAS Server.

Provisioning Services

Source	Destination	Type	Port	Details
Provisioning Server	Provisioning Server	UDP	6890..6909	Inter-server communication
	Microsoft SQL Server	TCP	1433	Communication with Microsoft SQL Server
	Citrix License Server	TCP	27000	“Citrix License Server port”. The port on which the Citrix License Server is listening and to which the infrastructure service then connects to validate licensing.
		TCP	7279	The port used by the dedicated Citrix component (daemon) in the Citrix License Server to validate licensing.
	Domain Controller	TCP	389	Communication with Active Directory
	Target Device	UDP	6901, 6902, 6905	Target device to Citrix Provisioning communication (not configurable)
	Citrix Hypervisor	TCP	80, 443	Communication with Citrix Hypervisor infrastructure
	VMware vCenter Server	TCP	443	Communication with vSphere infrastructure
	Microsoft Hyper-V	TCP	8100	Communication with Hyper-V infrastructure
	Microsoft Azure	TCP	443	Communication with Azure infrastructure
	Google Cloud Platform	TCP	443	Communication with Google Cloud infrastructure
Target Device	Broadcast/DHCPServer	UDP	66, 67	Only DHCP options: Obtaining network boot DHCP options 66-TFTP Server Name (Bootstrap Protocol Server) and 67-Boot file name (Bootstrap Protocol Client).
	Broadcast/PXEService	UDP	69	Trivial File Transfer (TFTP) for Bootstrap delivery
	TFTP服务器	UDP	6910	Target Device login at Provisioning Services
	Provisioning Server	UDP	6910..6930	Virtual disk Streaming (Streaming Service) (configurable)
		UDP	6901, 6902, 6905	Target device to Citrix Provisioning communication (not configurable)
		UDP	6969, 2071	Only BDM: Two Stage Boot (BDM). Used in boot from ISO or USB scenarios only.
		TCP	54321..54323	SOAP Service - Used by Imaging Wizards
Admin Workstation	Provisioning Server	TCP	54321..54323	SOAP Service - Used by Console and APIs (MCLI, PowerShell, etc.)
	Delivery Controller	TCP	80	When using on-prem CVAD - used by Console wizards when creating Broker Catalogs
	CVAD Service	TCP	443	When using CVADS - used by Console wizards when creating Broker Catalogs

Universal Print Server

Source	Destination	Type	Port	Details
Virtual Delivery Agent	Universal Print Server	UDP	7229	Universal Print Server print data stream (CGP) port (configurable)
Virtual Delivery Agent	Universal Print Server	TCP	8080	Universal Print Server web service (HTTP/SOAP) port (configurable)

Remote PC Access

Source	Destination	Type	Port	Details
Admin Workstation	Virtual Delivery Agent	UDP	9	Wake on LAN for Remote PC Access power management
WOL Proxy	Virtual Delivery Agent	TCP	135	Wake Up Proxy for Remote PC Access power management

Note:

Remote PC Access is using the same Virtual Delivery Agent ports as regular virtual desktops

Session Recording

Source	Destination	Type	Port	Details
Virtual Delivery Agent	Session Recording Server	TCP	80, 443	Communication between Session Recording Agent installed on Virtual Delivery Agent to connect to the Session Recording Server. Default installation uses HTTPS/SSL to secure communications. If SSL is not configured, use HTTP.
Session Recording Policy Console	Session Recording Server	TCP	80, 443	Communication between server where the Session Recording Policy Console is installed and Session Recording Server
Session Recording Player	Session Recording Server	TCP	80, 443	Communication between the workstation where the Session Recording Player is installed and Session Recording Server.

StoreFront

Source	Destination	Type	Port	Details
User Device	StoreFront Server	TCP	80, 443	Connecting to the store hosted on StoreFront server
StoreFront Server	Domain Controller	TCP, UDP	389	LDAP connection to query user-friendly name and email addresses
		TCP, UDP	88	Kerberos
		TCP, UDP	464	Native Windows authentication protocol to allow users to change expired passwords
	StoreFront Server	TCP	Randomly selected unreserved port per service. Scroll down to the end of this table for configuration of firewalls when you place StoreFront in its own network.	Used for Peer-to-peer Services (Credential Wallet, Subscriptions Store (1 per Store). This service uses MS .Net NetPeerTcpBinding which negotiates a random port on each server between the peers. Only used for communication within the cluster.
		TCP	808	Used for Subscription Replication Services. Not installed by default. Used to replicate subscriptions between associated clusters
	Delivery Controller, XenMobile	TCP	80, 443	For application and desktop requests.
NetScaler	StoreFront	TCP	8000	For Monitoring Service used by NetScaler load balancer.
StoreFront	Citrix Gateway	TCP	443	Callback URL to reach Citrix Gateway from StoreFront

Use the following information for configuration of firewalls when you place StoreFront in its own network:

1. Locate the config files:
   • C:\Program Files\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService\Citrix.DeliveryServices.SubscriptionsStore.ServiceHost.exe.config
   • C:\Program Files\Citrix\Receiver StoreFront\Services\CredentialWallet\Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe.config

2. Edit both the config files changing the values for endpoint URIs.

   For example -so any address that starts withnet.p2p://includes the port. You should end up withand<端点uri = " net.p2p: / / Citrix-Subscriptions-1__Citrix_Store">becomes<端点uri = " net.p2p: / / Citrix-Subscriptions-1__Citrix_Store:93">and so on for all other net.p2p addresses.

3. Restart the subscriptions store and credential wallet.
4. The local firewall includes rules for allowing per application access, so it is not locked down by port.

Workspace Environment Management

Source	Destination	Type	Port	Details
Infrastructure service	Agent host	TCP	49752	“Agent port”. Listening port on the agent host which receives instructions from the infrastructure service.
Administration console	Infrastructure service	TCP	8284	“Administration port”. Port on which the administration console connects to the infrastructure service.
Agent	Infrastructure service	TCP	8286	“Agent service port”. Port on which the agent connects to the infrastructure server.
Agent cache synchronization process	Infrastructure service	TCP	8285	“Cache synchronization port”. Applicable to Workspace Environment Management 1909 and earlier; replaced by Cached data synchronization port in Workspace Environment Management 1912 and later. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server.
		TCP	8288	“Cached data synchronization port”. Applicable to Workspace Environment Management 1912 and later; replaces Cache synchronization port of Workspace Environment Management 1909 and earlier. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server.
Monitoring service	Infrastructure service	TCP	8287	“WEM monitoring port”. Listening port on the infrastructure server used by the monitoring service. (Not yet implemented.)
Infrastructure service	Microsoft SQL Server	TCP	1433	To connect to WEM Database
	Citrix License Server	TCP	27000	“Citrix License Server port”. The port on which the Citrix License Server is listening and to which the infrastructure service then connects to validate licensing.
		TCP	7279	The port used by the dedicated Citrix component (daemon) in the Citrix License Server to validate licensing.

Read more about Citrix Workspace Environment Management requirementshere.

Read more about Citrix License Server requirementshere.

CSV File

We would like to provide you with a csv file of theCitrix Communication Portsthat you can use for your own needs.