TCP port

Description

Source

Destination

21 or 22

Used to send support bundles to an FTP or SCP server.

XenMobile

FTP or SCP server

53 (TCP and UDP)

Used for DNS connections.

NetScaler Gateway

XenMobile

DNS server

80

NetScaler Gateway passes the VPN connection to the internal network resource through the second firewall. This situation typically occurs if users log on with the NetScaler Gateway Plug-in.

NetScaler Gateway

Intranet websites

80 or 8080

XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication.

Citrix recommends using port 443.

StoreFront and Web Interface XML network traffic

NetScaler Gateway STA

XenDesktop or XenApp

443

123 (TCP and UDP)

Used for Network Time Protocol (NTP) services.

NetScaler Gateway

XenMobile

NTP server

389

Used for insecure LDAP connections.

NetScaler Gateway

XenMobile

LDAP authentication server or Microsoft Active Directory

443

Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop.

Internet

NetScaler Gateway

Used for connections to XenMobile for web, mobile, and SaaS app delivery.

Internet

NetScaler Gateway

Used for general device communication to XenMobile Server

XenMobile

XenMobile

Used for connections from mobile devices to XenMobile for enrollment.

Internet

XenMobile

Used for connections from XenMobile to XenMobile NetScaler Connector.

XenMobile

XenMobile NetScaler Connector

Used for connections from XenMobile NetScaler Connector to XenMobile.

XenMobile NetScaler Connector

XenMobile

Used for Callback URL in deployments without certificate authentication.

XenMobile

NetScaler Gateway

514

Used for connections between XenMobile and a syslog server.

XenMobile

Syslog server

636

Used for secure LDAP connections.

NetScaler Gateway

XenMobile

LDAP authentication server or Active Directory

1494

Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop

1812

Used for RADIUS connections.

NetScaler Gateway

RADIUS authentication server

2598

Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop

3268

Used for Microsoft Global Catalog insecure LDAP connections.

NetScaler Gateway

XenMobile

LDAP authentication server or Active Directory

3269

Used for Microsoft Global Catalog secure LDAP connections.

NetScaler Gateway

XenMobile

LDAP authentication server or Active Directory

9080

Used for HTTP traffic between NetScaler and the XenMobile NetScaler Connector.

NetScaler

XenMobile NetScaler Connector

9443

Used for HTTPS traffic between NetScaler and the XenMobile NetScaler Connector.

NetScaler

XenMobile NetScaler Connector

45000

80

Used for communication between two XenMobile VMs when deployed in a cluster.

XenMobile

XenMobile

8443

Used for enrollment, XenMobile Store, and mobile app management (MAM).

XenMobile

NetScaler Gateway

Devices

Internet

XenMobile

4443

Used for accessing the XenMobile console by an administrator through the browser.

Access point (browser)

XenMobile

Used for downloading logs and support bundles for all XenMobile cluster nodes from one node.

XenMobile

XenMobile

27000

Default port used for accessing the external Citrix License Server

XenMobile

Citrix License Server

7279

Default port used for checking Citrix licenses in and out.

XenMobile

Citrix Vendor Daemon

TCP port

Description

Source

Destination

25

Default SMTP port for the XenMobile notification service. If your SMTP server uses a different port, ensure that your firewall does not block that port.

XenMobile

SMTP server

80 and 443

Enterprise App Store connection to Apple iTunes App Store (ax.itunes.apple.com), Google Play (must use 80), or Windows Phone Store. Used for publishing apps from the app stores through Citrix Mobile Self-Serve on iOS, Secure Hub for Android, or Secure Hub for Windows Phone.

XenMobile

Apple iTunes App Store (ax.itunes.apple.com and *.mzstatic.com)

Apple Volume Purchase Program (vpp.itunes.apple.com)

For Windows Phone: login.live.com and *.notify.windows.com

Google Play (play.google.com)

80 or 443

Used for outbound connections between XenMobile and Nexmo SMS Notification Relay.

XenMobile

Nexmo SMS Relay Server

389

Used for insecure LDAP connections.

XenMobile

LDAP authentication server or Active Directory

443

Used for enrollment and agent setup for Android and Windows Mobile.

Internet

XenMobile

Used for enrollment and agent setup for Android and Windows devices, the XenMobile web console, and MDM Remote Support Client.

Internal LAN and WiFi

1433

Used by default for connections to a remote database server (optional).

XenMobile

SQL Server

2195

Used for Apple Push Notification service (APNs) outbound connections to gateway.push.apple.com for iOS device notifications and device policy push.

XenMobile

Internet (APNs hosts using the public IP address 17.0.0.0/8)

2196

Used for APNs outbound connections to feedback.push.apple.com for iOS device notification and device policy push.

5223

Used for APNs outbound connections from iOS devices on Wi-Fi networks to *.push.apple.com.

iOS devices on WiFi networks

Internet (APNs hosts using the public IP address 17.0.0.0/8)

8081

Used for app tunnels from the optional MDM Remote Support Client. Defaults to 8081.

Remote Support Client

Internet, for app tunnels to user devices (Android and Windows only)

8443

Used for enrollment of iOS and Windows Phone devices.

Internet

XenMobile

LAN and WiFi