Citrix Cloud Connector – Firewall Considerations (including BYO Storefront & Netscaler)

After being involved in a number of citrix cloud deployments a question has continuously popped up around firewall requirement for the cloud connector.

Reviewing the “Communication Ports Used by Citrix Technologies” for citrix cloud/Cloud connector the following section listed for Citrix Cloud.

cc-fire-1

The TCP 443 (HTTP) outbound route requirement is a well known and published, TCP Port 9350-9354 refers to the Azure Service Bus which by default uses 443 but may fallback to the 935x ports. 14/03/2017 – Clarified that these ports are not required and citrix documentation is to be updated.

cc-fire-2

 

The lesser known/available from support articles is the communication required between Cloud Connectors & Other components in the resource location.

BYO(Bring your Own) Netscaler & Storefront, the following firewall rules will be required:-

Source Destination Port
Cloud Connector Internet TCP 443
Cloud Connector Active Directory Servers UDP 123/UDP W32Time

TCP 135/TCP RPC EndpointMapper

TCP 464/TCP/UDP Kerberos password change

TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*)

TCP/UDP 389/TCP/UDP LDAP

TCP 636/TCP LDAP SSL

TCP 3268/TCP LDAP GC

TCP 3269/TCP LDAP GC SSL

TCP/UDP 53/TCP/UDP DNS

TCP 49152 -65535/TCP FRS RPC (*)

TCP/UDP 88/TCP/UDP Kerberos

TCP/UDP 445/TCP SMB

Storefront (BYO) Cloud Connector TCP 80/443 (encrypt with certificates)
Netscaler (BYO) Cloud Connector TCP 80/443 (encrypt with certificates)
VDA Cloud Connector TCP 80 Traffic encrypted using Kerberos
Cloud Connector VDA TCP 80 Traffic encrypted using Kerberos

cc-fire-3.png

If using the Cloud Hosted Netscaler Service/Storefront, the following firewall rules will be required:-

Source Destination Port
Cloud Connector Internet TCP 443
Cloud Connector Active Directory Servers UDP 123/UDP W32Time

TCP 135/TCP RPC EndpointMapper

TCP 464/TCP/UDP Kerberos password change

TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*)

TCP/UDP 389/TCP/UDP LDAP

TCP 636/TCP LDAP SSL

TCP 3268/TCP LDAP GC

TCP 3269/TCP LDAP GC SSL

TCP/UDP 53/TCP/UDP DNS

TCP 49152 -65535/TCP FRS RPC (*)

TCP/UDP 88/TCP/UDP Kerberos

TCP/UDP 445/TCP SMB

VDA Cloud Connector TCP 80 Traffic encrypted using Kerberos
Cloud Connector VDA TCP 80 Traffic encrypted using Kerberos

TCP/UDP 1494

TCP/UDP 2598

 

cc-fire-4

 

 

 

AD ports has been provided through “Inbound and outbound ports configuration” page 26 of the following Citrix cloud overview doucment

https://docs.citrix.com/content/dam/pdfs/content/docs/en-us/citrix-cloud/download.pdf

Hopes this helps

 

 

2 comments

    • They use the cloud connector to bridge the HDX connection to the VDA’s. The existing outgoing 443 connection from resource location is kept alive and utilises this already established connection to access the VDA’s which the cloud connector proxies.

      The cloud connector needs to take into account this proxied connection when sizing it properly.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s