Citrix Cloud Connector – Firewall Considerations (including BYO Storefront & Citrix ADC)

After being involved in a number of citrix cloud deployments a question has continuously popped up around firewall requirement for the cloud connector.

Reviewing the “Communication Ports Used by Citrix Technologies” for citrix cloud/Cloud connector the following section listed for Citrix Cloud.

cc-fire-1

The TCP 443 (HTTP) outbound route requirement is a well known and published, TCP Port 9350-9354 refers to the Azure Service Bus which by default uses 443 but may fallback to the 935x ports. 14/03/2017 – Clarified that these ports are not required and citrix documentation is to be updated.

cc-fire-2

 

The lesser known/available from support articles is the communication required between Cloud Connectors & Other components in the resource location.

BYO(Bring your Own) Netscaler & Storefront, the following firewall rules will be required:-

Source Destination Port
Cloud Connector Internet TCP 443
Cloud Connector Active Directory Servers UDP 123/UDP W32Time

TCP 135/TCP RPC EndpointMapper

TCP 464/TCP/UDP Kerberos password change

TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*)

TCP/UDP 389/TCP/UDP LDAP

TCP 636/TCP LDAP SSL

TCP 3268/TCP LDAP GC

TCP 3269/TCP LDAP GC SSL

TCP/UDP 53/TCP/UDP DNS

TCP 49152 -65535/TCP FRS RPC (*)

TCP/UDP 88/TCP/UDP Kerberos

TCP/UDP 445/TCP SMB

Storefront (BYO) Cloud Connector TCP 80/443 (encrypt with certificates)
Netscaler (BYO) Cloud Connector TCP 80/443 (encrypt with certificates)
VDA Cloud Connector TCP 80 Traffic encrypted using Kerberos
Cloud Connector VDA TCP 80 Traffic encrypted using Kerberos

cc-fire-3.png

If using the Cloud Hosted Netscaler Service/Storefront, the following firewall rules will be required:-

Source Destination Port
Cloud Connector Internet TCP 443
Cloud Connector Active Directory Servers UDP 123/UDP W32Time

TCP 135/TCP RPC EndpointMapper

TCP 464/TCP/UDP Kerberos password change

TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*)

TCP/UDP 389/TCP/UDP LDAP

TCP 636/TCP LDAP SSL

TCP 3268/TCP LDAP GC

TCP 3269/TCP LDAP GC SSL

TCP/UDP 53/TCP/UDP DNS

TCP 49152 -65535/TCP FRS RPC (*)

TCP/UDP 88/TCP/UDP Kerberos

TCP/UDP 445/TCP SMB

VDA Cloud Connector TCP 80 Traffic encrypted using Kerberos
Cloud Connector VDA TCP 80 Traffic encrypted using Kerberos

TCP/UDP 1494

TCP/UDP 2598

 

cc-fire-4

 

Additionally if using Workspace Site Aggregation you’ll need the following

Source Destination Port
Cloud Connector XenApp 6.5 Site Only TCP 2513

Citrix XenApp Remoting Service

Cloud Connector XenApp 6.5 Site

Virtual Apps & Desktop 7.x Site

TCP 80/443 (encrypt with certificates)

 

SiteAgreg.png

 

 

AD ports has been provided through “Inbound and outbound ports configuration” page 26 of the following Citrix cloud overview doucment

https://docs.citrix.com/content/dam/pdfs/content/docs/en-us/citrix-cloud/download.pdf

Hopes this helps

 

 

14 comments

  1. If using hosted NS/SF, how do the client connections get to the VDAs? There aren’t any incoming ports defined..??

    1. They use the cloud connector to bridge the HDX connection to the VDA’s. The existing outgoing 443 connection from resource location is kept alive and utilises this already established connection to access the VDA’s which the cloud connector proxies.

      The cloud connector needs to take into account this proxied connection when sizing it properly.

  2. HI David
    Just trying to figure out which ports are required for the Cloud version of Studio to talk to a Print Server in the resource location so that I can configure Session Printers – we have 443 and we can do AD stuff but it is unable to read the print server – it seems to find it but it doesn’t expand the print queues (but it may be finding it in the AD)
    Any ideas?
    Thanks
    Jane

    1. Hi Jane,
      Check you can access the print server from the cloud connectors directly to confirm all is good. But a very good spot Jane and I’ll look into it in more detail if your still having the problem.

      CC should co-ordinate all activities between cloud studio and your resource over 443 only(kinda like a proxy)

      Cheers

      David

      Cheers
      David Wilkinson

      Cheers
      David Wilkinson

      1. just checked and there are no firewalls or routing issues in the way – it should be able to interrogate the print server and bring up a print queue list – I can do that from a vda desktop without issues
        cloud connector just doesn’t seem to be able to do that list pull into the control plane
        I’ve just logged into the cloud connector and using add printer I can connect to the print server and pull a full list of printers – but not via the citrix control plane/citrix policies
        odd

        1. i am getting the same issue now after setting up a test, i also tick the prompt for credentials but still no joy getting a list of printers as well. Running a wireshark from cloud connector and seeing some LDAP requests but fails

Leave a Reply