knfitz
asked on
What ports do I need to open for Xenapp
what ports do I need to open on my external firewall for xenapp to work from the outside?
If you're using Web interface to access applications from outside, then you need to open 80. For https, you need to open443. From external to internal network (Citrix web interface to Citrix servers) make sure ports like 1494, 2598 are open.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
TCP 80, 443, 1494, 2598
UDP 1604
UDP 1604
If you are using direct connection (that is only web interface with no Citrix Secure Gateway or Citrix Access Gateway) then you need to open TCP ports 80, 1494 and 2598 on the firewall sitting between the client and the environment.
If you are using secure methods through Citrix Secure Gateway or Citrix Access Gateway then you will only need to open TCP port 443 on the firewall sitting between the client and the gateway. And if there is an internal firewall between the secure gateway/access gateway and the XenApp subnet then you need to open TCP ports 1494 and 2598 on that firewall.
P.S.: UDP port 1604 is not used any more by Citrix.
If you are using secure methods through Citrix Secure Gateway or Citrix Access Gateway then you will only need to open TCP port 443 on the firewall sitting between the client and the gateway. And if there is an internal firewall between the secure gateway/access gateway and the XenApp subnet then you need to open TCP ports 1494 and 2598 on that firewall.
P.S.: UDP port 1604 is not used any more by Citrix.
... add port 80 for xml/sta between gateway and XenApp ;-)
If the web interface sits in the DMZ with the CAG or CSG between the firewalls then of course also port 80 need to be opened on the internal firewall (alongside ports 1494 and 2598).
But, if the Web Interface server sites behind the internal firewall within the XenApp subnet then you need not open port 80 on the internal firewall - only ports 1494 and 2598 would be needed.
But, if the Web Interface server sites behind the internal firewall within the XenApp subnet then you need not open port 80 on the internal firewall - only ports 1494 and 2598 would be needed.
i think STA also use port 80?
and the CSG/CAG has to access the STA.
and the CSG/CAG has to access the STA.
@kniftz,
you don't need to open all these ports on the external firewall as this is not security-wise recommended. You should be opening the least ports required that will do your job. Obviously if you open all the ports you get things working; however, using the other suggestions guiding you to the correct (least) ports to be opened you also get things working + you are more secure.
Moreover, UDP 1604 is no more used by Citrix XenApp products. Citrix has dropped using this port.
you don't need to open all these ports on the external firewall as this is not security-wise recommended. You should be opening the least ports required that will do your job. Obviously if you open all the ports you get things working; however, using the other suggestions guiding you to the correct (least) ports to be opened you also get things working + you are more secure.
Moreover, UDP 1604 is no more used by Citrix XenApp products. Citrix has dropped using this port.