Citrix Access Gateway and VDI-in-a-Box – Firewall Exceptions

Communication between end-points and the CAG

All traffic between end-points (users) and the CAG is tunneled securely over SSL. This applies throughout the entire process from user authentication to desktop delivery.

• TCP Port 80 (used for redirection to 443)

• TCP Port 443

Communication between the CAG and the ViaB virtual appliance

User authentication and desktop template selection is completed here. An ICA file is then generated on the ViaB appliance and sent back to the end-point (user).

• TCP Port 80 (used for redirection to 443)

• TCP Port 443

Communication between the CAG and the Windows virtual desktops

Once an end-point (user) receives the ICA file, the Citrix Receiver on end-point device will connect through the CAG, which in turn communicates with the Windows virtual desktop running on the hypervisor. The ViaB appliance is no longer used for the user session.

• TCP Port 1494 (ICA protocol)

• TCP Port 2598 (Sessions Reliability protocol)

• TCP Port 3389 (RDP protocol)

Each ViaB appliance acts as a Connection Broker. In multi-server ViaB grids, the server hosting the virtual desktop might not be the same server that is used as a Connection Broker. Certain firewall configurations may prevent this from functioning properly because the connection is returning to/from a different IP address.

This document applies to:

Link to the original post on Citrix Knowledgebase.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.