This article describes the AWS Security Groups - Inbound port rules that are required for MCS Provisioning and general connectivity. By defining this list can help ensure a more locked down configuration along with meeting the requirements needed for MCS (Machine Creation Service) Provisioning and general connectivity.

Requirements

An AWS Administrator that can modify the Security Groups and Edit\Define the Inbound Rules.

Background

Admins often want to lock down an environment to the exact port requirements instead of having All Ports, App Protocols wide open. However, during the MCS Provisioning process and general connectivity we require a certain list of Ports\Protocols to be opened. Admins can set these Rules against the “default” Security Group or Custom Security Groups.

Typically resources that can be assigned to either the Default or Custom Security Group in which you plan to lock down the Inbound port rules would be AD DC, DDC, Cloud Connectors, VDAs. This Security Group used should be considered an Internal vLan configuration so it’s not suggested to have or use systems that need an AWS Elastic IP for External access.

---

Instructions

The below information are guidelines for information around AWS Security Groups. Admins that choose to leave the Default VPC and Default VPC security group in place can use this default group to lock down all Inbound port rules. However, some Admins choose to Delete\Remove the Default VPC or delete or remove or not choose to use the default VPC security group and then create custom security groups.

Here is an example of a Custom Security Group that also has the locked down Inbound port rules required for Citrix use, more details on the ports covered further below.

AWS Security Groups

 

During the MCS Catalog provisioning process you should then see within the same VPC the following Security Groups that can be selected.

 

Once the MCS Catalog provisioning process has started the Preparation or Prep instance will also create a new Security Group.

 

Upon completion of the MCS Catalog you can delete the above Citrix.XenDesktop.IsolationGroup – Security Group, however it’s not recommended to remove as it’s can still be re-used by MCS operations and the costs of having this should not be significant.

Also to note that you don’t select this during the MCS Catalog wizard to be used in any way, only select the original security group shown above.

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

The below information can be used as the guidelines to help lock down the AWS Security Groups Inbound port rules.

Note that the Outbound port rules throughout all of the below examples are fully wide open on All Ports and All Protocols. Also IPv6 configurations will not be covered in this KB.

·       The below Ports list and what they are defined as for general info.

Example of A Fully wide open Security Group for Inbound and Outbound port rules.

Example of the Minimum set of Inbound AWS port rules that we would require assuming the Admin is not willing to wide open Inbound to 0.0.0.0/0 All.

 

Here’s an example of the Inbound port rules defined that are the minimum level needed for both MCS Catalog creation – Provisioning and general connectivity.

Note -The use of ICMP (Ping) and RDP\RDC port\protocol are used here for troubleshooting issues and are not actual Citrix requirements.

 

TCP Port 8008 is used for HTML5 connections and is also not required unless needed.