Jump to content


network ports used by agee and xenapp while integrate agee and xenapp together?

Started by Jason Lu , 28 June 2010 - 02:58 PM
4 replies to this topic

Jason Lu Members

Jason Lu
  • 112 posts

Posted 28 June 2010 - 02:58 PM

There was an firewall between agee ,which located in DMZ, and xenapp server,which located in trust zone at the other side of the firewall.
So I need to open all needed port used by agee and xenapp(including web interface),could anyone tell me the ports and according purpose?

Alex Crawford Members

Alex Crawford
  • 113 posts

Posted 29 June 2010 - 09:08 AM

Opening Ports through the Firewalls (Single-Hop DMZ)

If your organization protects the internal network with a single demilitarized zone

(DMZ) and you deploy the Access Gateway in the DMZ, open the ports listed

below through the firewalls. If you are installing two Access Gateway appliances

in a double-hop DMZ deployment, see "Double-Hop DMZ Deployment with

Citrix XenApp" on page 11.

On the Firewall between the Unsecured Network

and the DMZ

35. Open a TCP/SSL port (default 443) on the firewall

between the Internet and the Access Gateway. Client

devices connect to the Access Gateway on this port.

On the Firewall between the DMZ and the

Secured Network

Open the appropriate port(s) on the firewall between

the DMZ and the secured network. The Access

Gateway connects to the authentication server(s) or to

computers running Citrix XenApp or Citrix

XenDesktop in the secured network on these ports.

Authentication Ports

The default authentication and authorization ports are

listed below. Open only the port appropriate for your

Access Gateway configuration.

For LDAP connections, the default is TCP port 389.

For a RADIUS connection, the default is UDP port


Citrix XenApp or Citrix XenDesktop Ports

If you are using the Access Gateway with Citrix

XenApp or Citrix XenDesktop, open TCP port 1494. If

session reliability is enabled, open TCP port 2598

instead of 1494.

Citrix recommends keeping both of these ports open.

Web Interface

Port 80 and or 443

Jason Lu Members

Jason Lu
  • 112 posts

Posted 29 June 2010 - 02:45 PM

I think the ports you listed is correct. Does web interface need to communicate with ag(or netscaler)?
I can see during web site configuration,the ag need to communicate with authentication service on ag.

Jiayuan Li Citrix Employees

Jiayuan Li
  • 19 posts

Posted 30 June 2010 - 10:02 AM

If you need to use single sign on feature, web interface needs to talk to the authentication service(which usually is your virtual server) on port 443 to pull credentials.

So from web interface to AGEE virtual server, you need to open port 443 as well.


  • 37 posts

Posted 23 July 2010 - 06:39 PM

Here's a great article on the ports required by Citrix Xenapp and interacting with many of the various supporting products like CAGEE etc...