Citrix 3 6 XenDesktop communication ports
This module gives an overview of the ports used by the Citrix components and that must be taken into account when designing a virtual infrastructure. As soon as communication traffic crosses network elements such as firewalls or reverse proxies, the right ports must be opened to keep the data flow alive. The exact ports depend on whether the user is internal or external, and on whether you have configured TLS.
Main XenDesktop ports
- User to StoreFront: TCP 80 or 443 depending on TLS.
- NetScaler to StoreFront: TCP 80 or 443 depending on configuration and the security level you want between your DMZ and your internal environment.
- StoreFront to Delivery Controller: TCP 80 or 443; secured by 443 if you installed an SSL certificate on the Delivery Controller.
- Active Directory authentication: TCP/UDP 389 for LDAP and 636 for LDAPS.
- SQL database: TCP 1433 and UDP 1434 for the SQL Server browser service.
- Director and Studio to Delivery Controller: TCP 80.
- License Server: TCP 27000 and 7279.
- Delivery Controller to VDA: TCP 80 for resource registration.
- Direct ICA/HDX session: once StoreFront or NetScaler has brokered the session, the connection goes straight to the VDA on TCP 1494 and 2598.
Knowing these ports is essential when you place Citrix in segments separated by firewalls; without the right rules, your users will fail to authenticate or to launch sessions. See you in the next video.
Summary
This lesson provides an overview of the critical communication ports used in Citrix XenDesktop environments and their role in network architecture design. It covers ports required for communication between users, NetScaler proxies, Storefront, Citrix delivery controllers, Active Directory, and SQL databases. The lesson emphasizes that port selection depends on security configuration, particularly whether SSL certificates are implemented, and that proper firewall and proxy configuration is essential for both internal and external user access.
Key points
- User-to-server communication uses ports 80 or 443, depending on whether SSL encryption is configured on the delivery controller
- Active Directory (LDAP) authentication uses port 389, with secure LDAPS available on port 636
- SQL Server database communication requires ports 1433 and 1434 for Citrix environment connectivity
- Direct user-to-resource connections use ports 1494 and 2068-2098 when bypassing the delivery controller
- NetScaler and Storefront communicate with delivery controllers on ports 80 or 443 based on security requirements
- Firewall and proxy rules must be configured to allow communication across all component ports for both internal and external access
FAQ
What are the main communication ports in Citrix XenDesktop?
The primary ports are 80 and 443 for user-to-server and controller communication (with 443 for SSL-encrypted channels), 1494 and 2068-2098 for direct user-to-resource connections, 389 for Active Directory/LDAP authentication, and 1433-1434 for SQL Server database access.
Why does port selection depend on configuration?
The choice between ports 80 and 443 depends on whether an SSL certificate is installed on the Citrix delivery controller. If SSL is configured to secure the communication channel, port 443 should be used instead of port 80 for encrypted traffic.
How do firewall and proxy rules impact Citrix communication?
Firewalls and proxies must have appropriate rules to allow communication on all required ports between components. This is particularly important for external users accessing through NetScaler proxies, where ports 80 or 443 must be open to ensure proper communication flow across the infrastructure.