* Application Performance Monitoring (powered by Citrix Edge Sight)

o Edge Sight Agent to Edge sight Server - TCP 80/443 (Payload and alerts)

o EdgeSight Web console (non-IMA) to RSCorSvc on EdgeSight Agent - TCP 9035

o Edge Sight Agent internal communication - TCP 9036 (client-side database) NOTE: After Edge Sight 4.5, replaced with IPC)

o Edge Sight database - SQL 1433 (configurable)

* Client-side Application Virtualization -

o Streaming Client to Application Hub (File Server/Share) - SMB 445

* Easy Call -

o To client - HTTP(S)-TCP 8443 (PSync)

o To Admin console (non-IMA) - TCP 443

o To LDAP Directory- TCP 389

o To PBX - port varies by vendor

* Independent Management Architecture (IMA) Services - TCP 2512, 2513

* Licensing Service - TCP 27000, 27009 (configurable)

* Server-side Application Virtualization

o Management Console (Using IMA) - TCP 2512, 2513

o Application requests - TCP XML 80, 8080 or 443 (configurable)

o Access to Applications Virtualized on the Server - ICA-TCP 1494, 2598 (Session Reliability)

* Single Sign-on (powered by Citrix Password Manager)

o Management Console (non-IMA) or Agent to Password Manager Service - TCP-443

o Management Console (non-IMA), Agent or Service to credential store

+ Network File Share Credential Store - TCP/UDP 445 (CIFS) or TCP/UDP 135-139 (NetBIOS)

+ Active Directory Credential Store - TCP/UDP - 389, 636, TCP - 3268, 3269

+ Novell File Share Credential Store - TCP/UDP - 524

* SmartAccess (powered by Citrix Access Gateway)

o Standard and Advanced Edition

+ Client connections- TCP-SSL 443 (configurable)

+ Advanced Access Control (AAC) to Appliance communication - TCP 80 or 443 (configurable), 9001, 9002, 9005

+ Management Console

# to Appliance (non-IMA) - 9001, 9002, 9005

# to AAC - IMA-TCP-2513

o Enterprise Edition

+ To client - SSL-TCP 443

+ To internal network - SSL-TCP 443, Native Authentication port (i.e. RADIUS 1812, LDAP 389), Native application ports (i.e. ICA-1494)

+ Management console (non-IMA) - SSH-TCP 22, HTTP(S)-TCP 80/443

* SmartAuditor -

o Management (non-IMA) - Use local console on Agent or on Server.

o Agent to Broker (Recording and Policy Check) - TCP 80/443 (configurable)

o Player to Broker - TCP 80/443 (configurable)

o Agent to Server (Metadata and Video)- Microsoft Message Queuing,

+ Default - TCP: 1801; RPC: 135, 2101*, 2103*, 2105*; UDP: 3527, 1801 (*These port numbers may be incremented by 11 if the initia choice of RPC port is being used when Message Queuing initializes. A connecting QM queries port 135 to discover the 2xxx ports.)

+ Over SSL- TCP 80,443

* WAN Optimizer -Guidance provided was to get it from Admin Guide

o Appliance to Appliance - Pass-through native application port (e.g. ICA-1494, HTTP-80, LDAP-389)

o Management Console (non-IMA) - TCP 80

o Client to Appliance - TCP 443

* Web Interface

o Client connections - TCP 80/443 (configurable)

o Server-to-server - TCP XML 80/8080, 443 (using SSL Relay)

o Management console (partially IMA) - DCOM 135 (+ configurable high port range), IMA-TCP 2513, TCP 80/443

Some Citrix Port Numbers

1494: This port is used by any client using the TCP protocol to communicate with the Presentation Server. You will need to open this port on your firewall for inbound connections unless you are using some form of encapsulation or encryption. You can change the port using the ICAPORT command but I find it to be more trouble than it is worth.

1604: Called the ICA Browser port this is a UDP port that can be used by the Program Neighbourhood to enumerate applications. You probably won t use this though.

80: This is the default port used by the XML service and is used by clients who enumerate applications with the TCP+HTTP or XML protocol. You will thus need to open this port on your firewall for inbound connections if clients will be using it to locate servers. You can change the port easily enough using the CTXXMLSS command.

443: This is the default SSL. The SSL Relay will use it to secure communications between the Web Interface and the server farm. You could also use it to secure client communication to the web Interface or use it for client connections to the Presentation Server.

5000: The Presentation Server uses this port to communicate with the IBM Db2 server hosting the data store.

1521: This port is used to communicate with the Oracle data store.

1433: The port used to communicate with a Microsoft SQL data store.

2512: This port is used for server to server communication such as when load information is communicated. The port used to access the data store is saved in the HKLMSOFTWARECITRIXIMAIMAPORT key on the server containing the data store. All other servers use the port number saved in HKLMSOFTWARECITRIXIMAPSSERVERPORT key in the registry to access the data store. Have a look at IMAPORT to see how to change it.

2513: This port is used by the Presentation Server Console when connection to a server. Have a look at IMAPORT to see how to change it.

2598: This is the session reliability port number and needs to be opened on your firewall if the ICA Clients will be using session reliability when communication with the server.

27000 and a random port number: This is the port used for communication between the Citrix License server and the Presentation Servers. Remember that the Citrix vendor daemon running on the license server uses a random port. It tracks license usage.