System requirements 编辑

While waiting for Citrix to provision Endpoint Management, be sure to prepare for your Endpoint Management deployment by installing Cloud Connector. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port setup is required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory.

Cloud Connector requirements

Citrix uses Cloud Connector to integrate the Endpoint Management architecture into your existing infrastructure. Cloud Connector integrates the following resource locations to Endpoint Management securely over port 443: LDAP, PKI Server, internal DNS queries, and Citrix Workspace enumeration.

  • At least two dedicated Windows Server machines that are joined to your Active Directory domain. The machines can be virtual or physical. The machine where you’re installing the Connector must be in sync with UTC time for proper installation and operation. For a full list of the latest requirements, see the deployment materials provided by your Citrix Account Team.

    The onboarding wizard guides you through installing Cloud Connector on those machines.

  • For more platform system requirements, see Citrix Cloud Connector.

Supported Active Directory functional levels

For use with Endpoint Management, the Citrix Cloud Connector supports the following forest and domain functional levels in Active Directory.

Forest Functional LevelDomain Functional LevelSupported Domain Controllers
Windows Server 2008 R2Windows Server 2008 R2Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Windows Server 2008 R2Windows Server 2012Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Windows Server 2008 R2Windows Server 2012 R2Windows Server 2012 R2, Windows Server 2016
Windows Server 2008 R2Windows Server 2016Windows Server 2016
Windows Server 2012Windows Server 2012Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Windows Server 2012Windows Server 2012 R2Windows Server 2012 R2, Windows Server 2016
Windows Server 2012Windows Server 2016Windows Server 2016
Windows Server 2012 R2Windows Server 2012 R2Windows Server 2012 R2, Windows Server 2016
Windows Server 2012 R2Windows Server 2016Windows Server 2016
Windows Server 2016Windows Server 2016Windows Server 2016

Citrix Gateway requirements

Endpoint Management requires a Citrix Gateway installed in your resource location for the following scenarios:

  • You require a micro VPN for access to internal network resources for line-of-business apps. Those apps are wrapped with Citrix MDX technology. The micro VPN needs Citrix Gateway to connect to internal back-end infrastructures.
  • You plan to use Citrix mobile productivity apps, such as Citrix Secure Mail.
  • You plan to integrate Endpoint Management with Microsoft Endpoint Manager.

The requirements:

  • Domain (LDAP) authentication
  • Citrix Gateway 12.1 or above, with a Platform/Universal license

For details, see Licensing.

  • Public SSL Certificate.

For details, see Create and Use SSL Certificates on a Citrix ADC Appliance.

For information about Citrix Gateway requirements, see the deployment materials provided by your Citrix Account Team.

For information about Android Enterprise requirements, see the Android Enterprise section.

Citrix Files requirements

Citrix Files file sync and sharing services are available in the Endpoint Management Premium Service offering. Storage zones controller extends the Citrix Files software as a service (SaaS) cloud storage by giving private data storage to your Citrix Files account.

Storage zones controller requirements:

  • A dedicated physical or virtual machine
  • Windows Server 2012 R2 or Windows Server 2016
  • 2 vCPUs
  • 4 GB RAM
  • 50 GB hard disk space
  • Server roles for Web Server (IIS):

    • Application Development: ASP. NET 4.5.2
    • Security: Basic Authentication
    • Security: Windows Authentication

Citrix Files platform requirements:

  • The Citrix Files installer requires administrative privileges on the Windows Server
  • Citrix Files Admin user name

Port requirements

To enable devices and apps to communicate with Endpoint Management, you open specific ports in your firewalls. The following diagram shows the traffic flow for Endpoint Management.

Endpoint Management traffic flow

The following sections list the ports that you must open. For information about the URLs that mobile productivity apps use, see Feature flag management.

Citrix Gateway port requirements

Open ports to allow user connections from Citrix Secure Hub and Citrix Workspace through Citrix Gateway to:

  • Endpoint Management
  • StoreFront
  • Other internal network resources, such as intranet websites

For more information about Citrix Gateway, see Configuring Settings for your Citrix Endpoint Management Environment in the Citrix Gateway documentation. For information about IP addresses, see How Citrix Gateway uses IP addresses in the Citrix Gateway documentation.

TCP PortDescriptionSourceDestination
53 (TCP and UDP)Used for DNS connections.Citrix Gateway SNIPDNS server
80/443Citrix Gateway passes the micro VPN connection to the internal network resource through the second firewall.Citrix Gateway SNIPIntranet websites
123 (TCP and UDP)Used for Network Time Protocol (NTP) services.Citrix Gateway SNIPNTP server
389Used for insecure LDAP connections.Citrix Gateway NSIP (or, if using a load balancer, SNIP)LDAP authentication server or Microsoft Active Directory
443Used for connections to StoreFront from Citrix Workspace to Citrix Virtual Apps and Desktops.InternetCitrix Gateway
443Used for connections to Endpoint Management for web, mobile, and SaaS app delivery.InternetCitrix Gateway
443Used for Cloud Connector communication – LDAP, DNS, PKI & Citrix Workspace enumerationCloud Connector Servershttps://*.citrixworkspacesapi.net, https://*.cloud.com (commercial), https://*.cloud.us (government), https://*.blob.core.windows.net/, https://*.servicebus.windows.net
443Used for accessing the Endpoint Management Self-Help Portal, if enabled, through the browser.Access point (browser)Endpoint Management (https://<sitename>/zdm/shp)
636Used for secure LDAP connections.Citrix Gateway NSIP (or, if using a load balancer, SNIP)LDAP authentication server or Active Directory
1494Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.Citrix Gateway SNIPCitrix Virtual Apps and Desktops
1812Used for RADIUS connections.Citrix Gateway NSIPRADIUS authentication server
2598Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.Citrix Gateway SNIPCitrix Virtual Apps and Desktops
3269Used for Microsoft Global Catalog secure LDAP connections.Citrix Gateway NSIP (or, if using a load balancer, SNIP)LDAP authentication server or Active Directory
4443Used for accessing the Endpoint Management console by an administrator through the browser.Access point (browser)Endpoint Management
8443Used for enrollment, app store, and mobile app management (MAM).Citrix Gateway SNIPEndpoint Management
8443Secure Ticket Authority (STA) port used for Secure Mail authentication tokenCitrix Gateway SNIPEndpoint Management

Network and firewall requirements

To enable devices and apps to communicate with Endpoint Management, you open specific ports in your firewalls. The following tables list those ports.

Open ports from the internal network to Citrix Cloud:

TCP portSource IPDescriptionDestinationDestination IP
443 Cloud Connectorhttps://*.citrixworkspacesapi.net, https://*.cloud.com (commercial), https://*.cloud.us (government), https://*.sharefile.com, https://cwsproduction.blob.core.wind ows.net/downloads, https://*.servicebus.windows.net 
443 Administrative Consolehttps://*.citrixworkspacesapi.net, https://*.cloud.com (commercial), https://*.cloud.us (government), https://*.citrix.com, https://cwsproduction.blob.core.windows.net/downloads 
443 Endpoint Management Self-Help Portal access through a browser (if the portal is enabled)Endpoint Management 
4443 Endpoint Management console access through a browserEndpoint Management 

Open ports from the Internet to the DMZ:

TCP portDescriptionSource IPDestinationDestination IP
443Endpoint Management Client Device Citrix Gateway IP 
443Endpoint Management Client Device Citrix Gateway VIP 
443Citrix Files Public IPCTX208318Citrix Gateway VIP 

Open ports from the DMZ to the internal network:

TCP portDescriptionSource IPDestinationDestination IP
389 or 636Citrix Gateway NSIP Active Directory IP 
53 (UDP)Citrix Gateway NSIP DNS Server IP 
443Citrix Gateway SNIP Exchange (EAS) Server IP 
443Citrix Gateway SNIP Internal Web Apps/Services 
443Citrix Gateway SNIP Storage zones controller IP 

Open ports from the internal network to the DMZ:

TCP portDescriptionSource IPDestinationDestination IP
443Admin Client Citrix Gateway NSIP 

Open ports from the internal network to the Internet:

TCP portDescriptionSource IPDestinationDestination IP
443Exchange (EAS) Server IP Endpoint Management Push Notification Listeners (1) 
443Storage zones controller IP Citrix Files Control PlaneCTX208318

(1) us-east-1.mailboxlistener.xm.citrix.com, eu-west-1.mailboxlistener.xm.citrix.com, ap-southeast-1.mailboxlistener.xm.citrix.com

Open ports from the corporate Wi-Fi to the Internet:

TCP portDescriptionSource IPDestinationDestination IP
8443 / 443Endpoint Management Client Device Endpoint Management 
5223Endpoint Management Client Device Apple APNS Servers17.0.0.0/8
5228Endpoint Management Client Device Firebase Cloud Messagingandroid.apis.google.com, fcm.googleapis.com
5229Endpoint Management Client Device Firebase Cloud Messagingandroid.apis.google.com, fcm.googleapis.com
5230Endpoint Management Client Device Firebase Cloud Messagingandroid.apis.google.com, fcm.googleapis.com
443Endpoint Management Client Device Firebase Cloud Messagingfcm.googleapis.com
443Endpoint Management Client Device Windows Push Notification Service*.notify.windows.com
443 / 80Endpoint Management Client Device Apple iTunes App Storeax.apps.apple.com, *.mzstatic.com, vpp.itunes.apple.com
443 / 80Endpoint Management Client Device Google Playplay.google.com, android.clients.google.com, android.l.google.com, android.com, google-analytics.com
443 / 80Endpoint Management Client Device Microsoft App Storelogin.live.com, *.notify.windows.com
443Endpoint Management Client Device Endpoint Management AutoDiscovery service for iOS and Androiddiscovery.cem.cloud.us
443Endpoint Management Client Device Endpoint Management AutoDiscovery service for Windowsenterpriseenrollment.mycompany.com, discovery.cem.cloud.us
443Storage zones controller IP Citrix Files Control PlaneCTX208318
443Endpoint Management Client Device Google Mobile Management, Google APIs, Google Play Store APIs*.googleapis.com
443Endpoint Management Client Device Connectivity checks for CloudDPC versions earlier than v470. Android connectivity checks starting with N MR1 requires https://www.google.com/generate_204 to be reachable, or for the given Wi-Fi network to point to a reachable PAC file)connectivitycheck.android.com, www.google.com

Port requirement for AutoDiscovery service connectivity

This port configuration makes sure that Android devices connecting from Secure Hub for Android can access the Endpoint Management AutoDiscovery service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note:

ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, complete the following prerequisites:

  • Collect Endpoint Management server and Citrix Gateway certificates: The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning: During this process, you’re asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement makes sure that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. So opening ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android/iOS, open port 443 for the following FQDN :

FQDNPortIP and port usage
discovery.cem.cloud.us443Secure Hub - ADS Communication via CloudFront

For information on supported IP addresses, see Cloud-based storage centers from AWS.

Android Enterprise network requirements

For information about the outbound connections to consider when setting up network environments for Android Enterprise, see the Google support article, Android Enterprise Network Requirements.

App requirements

Citrix Endpoint Management supports adding and maintaining up to 300 apps. Going over this limit causes your system to become unstable.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:48 次

字数:24141

最后编辑:8 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文