Brian Madden Logo
Your independent source for application and desktop virtualization.
Discussion Forums » Tech Support Forums » Advanced Access Control / Citrix Access Gateway » CAG Firewall Ports
advertisement

CAG Firewall Ports, in the Advanced Access Control / Citrix Access Gateway forum on BrianMadden.com

rated by 0 users
This post has 4 Replies | 3 Followers

Top 500 Contributor
Points 700
Reply
Tenaka Khan Posted: Fri, Jul 3 2009 5:08 PM

Was hoping someone can confirm the ports that need to be opened on the Firewall between the CAGs and the Presentation servers.

Its a single DMZ and my question is what ports would need to be opened between the CAGs and the Presentation server (1 firewall in between).

My thought is just 443,  but I would appreciate confirmation.

The reason that I am asking this question is that I am about to change the XML port for the farm to 8080 and I am trying to cover all bases. Your advice is appreciated.

 

 

  • | Post Points: 20
Not Ranked
Points 25
Reply
Myra Ivory replied on Fri, Jul 3 2009 5:30 PM

It's strongly advised to only use one software Firewall (Windows Firewall is considered to be a software firewall). More then one will make the firewalls conflict not to mention consume more of your resources.SIP ActiveX

  • | Post Points: 20
Top 50 Contributor
Points 7,090
Reply
A-Citrix-tech replied on Fri, Jul 3 2009 5:52 PM

Do you have AAC in your environment?

Generally, you will need 443 from the internet to the CAG (80 as well if you are configured to do redirection). From the CAG to your PS servers, you will need 1494 and XML (possibly 2598 if you are allowing session reliability) and you will need 80 to your Web Interface server.

If you have AAC, you will also need 9001 and 9005 bidirectional from the CAG to your AAC server.

  • | Post Points: 20
Top 500 Contributor
Points 700
Reply
Tenaka Khan replied on Mon, Jul 6 2009 7:47 AM

Thanks for the responses.

So basically I have a CAG then a Firewall and then the Presentation Servers.

I have used telnet from the Presentation server and can see that port 443 is open, when I use telnet for ports 1494, 2598, 80 or 8081 (current XML port) there is no response.

Hence it appears to me that the only port open is 443. So, when I change the XML port from 8081 to 8080 I do not think I need to make and changes on the Firewall.

CAG is in Secure Gateway mode only. Help appreciated!

  • | Post Points: 20
Top 500 Contributor
Points 763
Reply
Jonathan Jarembek replied on Mon, Jul 6 2009 2:55 PM

In my network i have the following ports opened on the firewall

Traffic that is originated from the NSIP's traversing the firewall talking to internal resources.

80, 443 - to talk to internal webservers "hosted intranet sites" and the WI's
1494, 2598 - PS 4.5 servers
25300 - xml port
636 - Secure ldap for Ad auth for Single sign on.
53 - So cags can resovle internal DNS
1645 - Radius auth for 2 factor Authentication

Cag specific ports needed if you run an HA Pair

3003      Heartbeat sent every 200ms
3010      Sync process and replication
3011      Command propagation
22          File sync

Thanks

Jon

  • | Post Points: 5
Page 1 of 1 (5 items) | RSS
Copyright © 1997-2012 TechTarget | Disclosures | Privacy Policy | Contact Info

BrianMadden.com | SearchVirtualDesktop.com | SearchEnterpriseDesktop.com | SearchServerVirtualization.com | SearchVMware.com