Please refer to the following lab prepared for Citrix XenDesktop 7.9 to understand further on the Requirements of Firewall Ports
- All Virtual Machines (VMs) are running on a Single VMware vSphere 6 Host
- PfSense Firewall with the following Segments / Interface configured
- WAN (10.1.1.x/24) – Accessing to Internet
- LAN – (192.168.1.x/24) – Active Directory Domain Controller & Users’ Workstations
- DMZ (172.16.1.x/24) – NetScaler VPX for External Users
- Server Workload (172.20.18.x/24) – Citrix XenDesktop Management Servers
- User Workload (172.20.17.x/24) – Citrix XenApp Server + Citrix PVS Server
A. Firewall Ports for Servers to Join to AD Domain
The following Firewall Ports need to be open to allow Citrix Segment to LAN Segment where AD Domain Controllers located
| Source | Destination | Protocols | Ports | Remarks |
|---|---|---|---|---|
| Citrix Segment (172.20.18.x/24) (172.20.17.x/24) |
AD Domain Controllers (192.168.1.x/24) |
TCP+UDP | 389 | LDAP |
| TCP | 3268 | LDAP GC | ||
| TCP+UDP | 88 | Kerberos | ||
| TCP+UDP | 53 | DNS | ||
| TCP+UDP | 445 | SMB, CIFS | ||
| TCP | 135 | RPC, EPM | ||
| TCP | 5722 | RPC,DFSR (SYSVOL) | ||
| UDP | 123 | Windows TIME | ||
| TCP+UDP | 464 | Kerberos Change / Set PAssword | ||
| UDP | 138 | DFSN, NetLogon, NetBIOS Datagram Service | ||
| UDP | 137 | NetLogon, NetBIOS Name Resolution | ||
| TCP | 139 | DFSN, NetBIOS Session Service, NetLogon | ||
| TCP+UDP | 49152-65535 | User and Computer Authentication, Group Policy | ||
| TCP | 636 | LDAP SSL | ||
| TCP | 3269 | LDAP GC SSL | ||
| TCP | 25 | SMTP |
Without the high ports (49152 to 65535) open, Server can join to AD Domain and login successfully – (it will take few minutes to complete). However, it seem that Server is initial lot of high ports traffics to Windows 2012 R2 Domain and was dropped by firewall
Group Policy will NOT be applied if the high ports are not opened
To successfully apply Group Policy, Servers must be able to contact a domain controller over the Kerberos, LDAP, SMB, and RPC protocols.
Only allow one way traffics from Citrix Segment to LAN Segment is required – Stateful Firewall will allow traffic matching a known active connection to pass the firewall.
Results
1. All Servers are joined to AD Domain (Citrix-Lab.com) successfully