After being involved in a number of citrix cloud deployments a question has continuously popped up around firewall requirement for the cloud connector.
Reviewing the “Communication Ports Used by Citrix Technologies” for citrix cloud/Cloud connector the following section listed for Citrix Cloud.
The TCP 443 (HTTP) outbound route requirement is a well known and published, TCP Port 9350-9354 refers to the Azure Service Bus which by default uses 443 but may fallback to the 935x ports. 14/03/2017 – Clarified that these ports are not required and citrix documentation is to be updated.
The lesser known/available from support articles is the communication required between Cloud Connectors & Other components in the resource location.
BYO(Bring your Own) Netscaler & Storefront, the following firewall rules will be required:-
| Source | Destination | Port |
| Cloud Connector | Internet | TCP 443 |
| Cloud Connector | Active Directory Servers | UDP 123/UDP W32Time
TCP 135/TCP RPC EndpointMapper TCP 464/TCP/UDP Kerberos password change TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*) TCP/UDP 389/TCP/UDP LDAP TCP 636/TCP LDAP SSL TCP 3268/TCP LDAP GC TCP 3269/TCP LDAP GC SSL TCP/UDP 53/TCP/UDP DNS TCP 49152 -65535/TCP FRS RPC (*) TCP/UDP 88/TCP/UDP Kerberos TCP/UDP 445/TCP SMB |
| Storefront (BYO) | Cloud Connector | TCP 80/443 (encrypt with certificates) |
| Netscaler (BYO) | Cloud Connector | TCP 80/443 (encrypt with certificates) |
| VDA | Cloud Connector | TCP 80 Traffic encrypted using Kerberos |
| Cloud Connector | VDA | TCP 80 Traffic encrypted using Kerberos |
If using the Cloud Hosted Netscaler Service/Storefront, the following firewall rules will be required:-
| Source | Destination | Port |
| Cloud Connector | Internet | TCP 443 |
| Cloud Connector | Active Directory Servers | UDP 123/UDP W32Time
TCP 135/TCP RPC EndpointMapper TCP 464/TCP/UDP Kerberos password change TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*) TCP/UDP 389/TCP/UDP LDAP TCP 636/TCP LDAP SSL TCP 3268/TCP LDAP GC TCP 3269/TCP LDAP GC SSL TCP/UDP 53/TCP/UDP DNS TCP 49152 -65535/TCP FRS RPC (*) TCP/UDP 88/TCP/UDP Kerberos TCP/UDP 445/TCP SMB |
| VDA | Cloud Connector | TCP 80 Traffic encrypted using Kerberos |
| Cloud Connector | VDA | TCP 80 Traffic encrypted using Kerberos
TCP/UDP 1494 TCP/UDP 2598 |
Additionally if using Workspace Site Aggregation you’ll need the following
| Source | Destination | Port |
| Cloud Connector | XenApp 6.5 Site Only | TCP 2513
Citrix XenApp Remoting Service |
| Cloud Connector | XenApp 6.5 Site
Virtual Apps & Desktop 7.x Site |
TCP 80/443 (encrypt with certificates) |
AD ports has been provided through “Inbound and outbound ports configuration” page 26 of the following Citrix cloud overview doucment
https://docs.citrix.com/content/dam/pdfs/content/docs/en-us/citrix-cloud/download.pdf
Hopes this helps
If using hosted NS/SF, how do the client connections get to the VDAs? There aren’t any incoming ports defined..??
They use the cloud connector to bridge the HDX connection to the VDA’s. The existing outgoing 443 connection from resource location is kept alive and utilises this already established connection to access the VDA’s which the cloud connector proxies.
The cloud connector needs to take into account this proxied connection when sizing it properly.
this article really help me, thank you!!!!
thanks for your feedback. Glad it has helped
HI David
Just trying to figure out which ports are required for the Cloud version of Studio to talk to a Print Server in the resource location so that I can configure Session Printers – we have 443 and we can do AD stuff but it is unable to read the print server – it seems to find it but it doesn’t expand the print queues (but it may be finding it in the AD)
Any ideas?
Thanks
Jane
Hi Jane,
Check you can access the print server from the cloud connectors directly to confirm all is good. But a very good spot Jane and I’ll look into it in more detail if your still having the problem.
CC should co-ordinate all activities between cloud studio and your resource over 443 only(kinda like a proxy)
Cheers
David
Cheers
David Wilkinson
Cheers
David Wilkinson
just checked and there are no firewalls or routing issues in the way – it should be able to interrogate the print server and bring up a print queue list – I can do that from a vda desktop without issues
cloud connector just doesn’t seem to be able to do that list pull into the control plane
I’ve just logged into the cloud connector and using add printer I can connect to the print server and pull a full list of printers – but not via the citrix control plane/citrix policies
odd
Every odd, will have a look at replicating this to see if happens with me and let you know
i am getting the same issue now after setting up a test, i also tick the prompt for credentials but still no joy getting a list of printers as well. Running a wireshark from cloud connector and seeing some LDAP requests but fails
And what is the flow between Cloud Services and Cloud Connector for LHC?
It is covered in the outbound ssl from the cloud connector.
Citrix Support pointed us to their “very helpful” doc to answer the question why Session Printers don’t work!
https://support.citrix.com/article/CTX220345
Brill, will get it added to blog as a reference
David, which is the IP that should be used for the BYO NetScaler? Is it the SNIP?