firewall ports needed for citrix presentation server

klpconsulting
klpconsulting used Ask the Experts™
on
i've got a client that has a win 2k3 citrix presentation server that sits behind a firewall. yesterday the firewall went down and one of the users reset the firewall to the defaults loosing the custom port configurations. there wasn't any documentation on the ports used. the remote users access a citrix web interface on an ip with a custom port and then login using ad credentials. i can get the web interface to show the login page and i can login using the appropriate credentials but when i go to run an app i get a "connection in progress" box which times out with an error "cannot connect to the citrix xenapp server. there is no citrix xenapp server configured on the specified address". i've got the following ports open at this time:

tcp 1494 client virtual desktop
tcp 2598 client actual desktop
tcp 27000 citrix licensing
tcp 2512-2513 ima
tcp 9090  custom xml
tcp 8081 custom web interface port

this was a working environment from outside which actually was setup by a citrix engineer and it works internally across their network now. i'm just missing a port somewhere that needs opening to make it work from the web again. i don't have any udp ports open and maybe i need some? can someone identify what i'm missing to make this right?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Steven SheeleyConsulting SW Engineer - Lync/Skype4Business

Commented:
The XenServer Host talks to the client via TCP over ports 6936 (a two-way connection for commands and
responses), 22 (for the Text Console communications with XenVMs), and 5900 (for graphical vnc connections
with XenVMs). Make sure that your firewall allows traffic from these ports.
Commented:
This is XenApp, not XenServer so none of that will help :)
You should only need these using the WI
Application requests - TCP XML 80, 8080 or 443 (configurable)
Access to Applications Virtualized on the Server - ICA-TCP 1494, 2598 (Session Reliability)
 

Author

Commented:
i went back and made some additional port changes and now these are the ports i have open towards the citrix server from the firewall. i still get the same error and timeout.

tcp 1494 client virtual desktop
tcp 2598 client actual desktop
tcp 27000 citrix licensing
tcp 2512-2513 ima
tcp 9090  custom xml
tcp 8081 custom web interface port
tcp 8080 application requests
tcp 80 http
tcp 443 https
Top Expert 2010

Commented:
Here are the list of ports used by Citrix:

http://support.citrix.com/article/CTX101810
Lee OsborneSenior Infrastructure Engineer
Commented:
Are you using Citrix Secure Gateway alongside your Web Interface? If so -

Internet to DMZ (CSG Server): Allow TCP Port 443

DMZ (CSG Server) to LAN (STA & XML Service): Allow TCP Port 80, (or Farm XML Service Port) or TCP Port 443 if securing STA Traffic via SSL

DMZ (CSG Server) to LAN (Citrix XenApp Servers):  Allow TCP Port 1494 (without Session Reliability), or TCP Port 2598 (with Session Reliability)

http://www.leeosborne.co.uk/wp/citrix-secure-gateway-3-2-firewall-ports/

Lee

Author

Commented:
basraj,

there are 8 documents from this link and i've been through the administrator's guide. can you be a little more clear?

lee,
it appears that i have those ports open that you have listed. no, i'm not suing csg server. thanks.

Lee OsborneSenior Infrastructure Engineer

Commented:
Have you configured your firewall's NAT to translate the external IP that the users access on the Web Interface, to the internal private address of your Citrix server?

Lee

Author

Commented:
Yes I have. I'm getting apps to show up after I login using ad credentials from the web login page so I don't think I'm missing anything in the nat setup or I wouldn't be seeing what I am now. Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial