Citrix – Requirements of Firewall Ports

Citrix – Requirements of Firewall Ports

Please refer to the following lab prepared for Citrix XenDesktop 7.9 to understand further on the Requirements of Firewall Ports

CTX-FW-01

  1. All Virtual Machines (VMs) are running on a Single VMware vSphere 6 Host
  2. PfSense Firewall with the following Segments / Interface configured
    • WAN (10.1.1.x/24) – Accessing to Internet
    • LAN – (192.168.1.x/24) – Active Directory Domain Controller & Users’ Workstations
    • DMZ (172.16.1.x/24) – NetScaler VPX for External Users
    • Server Workload (172.20.18.x/24) – Citrix XenDesktop Management Servers
    • User Workload (172.20.17.x/24) – Citrix XenApp Server + Citrix PVS Server

A. Firewall Ports for Servers to Join to AD Domain 

The following Firewall Ports need to be open to allow Citrix Segment to LAN Segment where AD Domain Controllers located

Source Destination Protocols Ports Remarks
Citrix Segment
(172.20.18.x/24)
(172.20.17.x/24)
AD Domain Controllers
(192.168.1.x/24)
TCP+UDP 389 LDAP
TCP 3268 LDAP GC
TCP+UDP 88 Kerberos
TCP+UDP 53 DNS
TCP+UDP 445 SMB, CIFS
TCP 135 RPC, EPM
TCP 5722 RPC,DFSR (SYSVOL)
UDP 123 Windows TIME
TCP+UDP 464 Kerberos Change / Set PAssword
UDP 138 DFSN, NetLogon, NetBIOS Datagram Service
UDP 137 NetLogon, NetBIOS Name Resolution
TCP 139 DFSN, NetBIOS Session Service, NetLogon
TCP+UDP 49152-65535 User and Computer Authentication, Group Policy
TCP 636 LDAP SSL
TCP 3269 LDAP GC SSL
TCP 25 SMTP

Without the high ports (49152 to 65535) open, Server can join to AD Domain and login successfully – (it will take few minutes to complete). However, it seem that Server is initial lot of high ports traffics to Windows 2012 R2 Domain and was dropped by firewall

Group Policy will NOT be applied if the high ports are not opened

To successfully apply Group Policy, Servers must be able to contact a domain controller over the Kerberos, LDAP, SMB, and RPC protocols.

Only allow one way traffics from Citrix Segment to LAN Segment is required – Stateful Firewall will allow traffic matching a known active connection to pass the firewall.

Results 
1. All Servers are joined to AD Domain (Citrix-Lab.com) successfully

Leave a Comment