Port requirements 编辑

To enable devices and apps to communicate with XenMobile, you open specific ports in your firewalls. The following tables list the ports that must be open.

Open ports for Citrix Gateway and XenMobile to manage apps

Open the following ports to allow user connections from Citrix Secure Hub, Citrix Receiver, and the Citrix Gateway plug-in through Citrix Gateway to the following components:

  • XenMobile
  • StoreFront
  • Citrix Virtual Apps and Desktops
  • Citrix Gateway connector for Exchange ActiveSync
  • Other internal network resources, such as intranet websites

To enable traffic to Launch Darkly from Citrix ADC, you can use the IP addresses noted in this Support Knowledge Center article.

For more information about Citrix Gateway, see the Citrix Gateway documentation. That documentation includes information about Citrix ADC IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP portDescriptionSourceDestination
21 or 22Used to send support bundles to an FTP or SCP server.XenMobileFTP or SCP server
53 (TCP and UDP)Used for DNS connections.Citrix Gateway, XenMobileDNS Server
80Citrix Gateway passes the VPN connection to the internal network resource through the second firewall. This situation typically occurs if users log on with the Citrix Gateway plug-in.Citrix GatewayIntranet websites
80 or 8080; 443XML and Secure Ticket Authority (STA) port used for enumeration, ticketing, and authentication. Citrix recommends using port 443.StoreFront and Web Interface XML network traffic; Citrix Gateway STAVirtual Apps or Desktops
123 (TCP and UDP)Used for Network Time Protocol (NTP) services.Citrix Gateway; XenMobileNTP server
389Used for insecure LDAP connectionsCitrix Gateway; XenMobileLDAP authentication server or Microsoft Active Directory
443Used for connections to StoreFront from Citrix Receiver or Receiver for Web to Virtual Apps and Desktops.InternetCitrix Gateway
443Used for connections to XenMobile for web, mobile, and SaaS app delivery.InternetCitrix Gateway
443Used for general device communication to XenMobile Server.XenMobileXenMobile
443Used for connections from mobile devices to XenMobile for enrollment.InternetXenMobile
443Used for connections from XenMobile to Citrix Gateway connector for Exchange ActiveSync.XenMobileCitrix Gateway connector for Exchange ActiveSync
443Used for connections from Citrix Gateway connector for Exchange ActiveSync to XenMobile.Citrix Gateway connector for Exchange ActiveSyncXenMobile
443Used for Callback URL in deployments without certificate authentication.XenMobileCitrix Gateway
514Used for connections between XenMobile and a syslog server.XenMobileSyslog server
636Used for secure LDAP connections.Citrix Gateway; XenMobileLDAP authentication server or Active Directory
1494Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.Citrix GatewayVirtual Apps or Desktops
1812Used for RADIUS connections.Citrix GatewayRADIUS authentication server
2598Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.Citrix GatewayVirtual Apps or Desktops
3268Used for Microsoft Global Catalog insecure LDAP connections.Citrix Gateway; XenMobileLDAP authentication server or Active Directory
3269Used for Microsoft Global Catalog secure LDAP connections.Citrix Gateway; XenMobileLDAP authentication server or Active Directory
9080Used for HTTP traffic between Citrix ADC and the Citrix Gateway connector for Exchange ActiveSync.Citrix ADCCitrix Gateway connector for Exchange ActiveSync
30001Management API for initial staging of HTTPS serviceInternal LANXenMobile Server
9443Used for HTTPS traffic between the Citrix ADC and the Citrix Gateway connector for Exchange ActiveSync.Citrix ADCCitrix Gateway connector for Exchange ActiveSync
45000; 80Used for communication between two XenMobile VMs when deployed in a cluster. Port 80 is for internode communication and for SSL offload.XenMobileXenMobile
8443Used for enrollment, XenMobile Store, and mobile app management (MAM).XenMobile; Citrix Gateway; Devices; InternetXenMobile
4443Used for accessing the XenMobile console by an administrator through the browser. Also used for downloading logs and support bundles for all XenMobile cluster nodes from one node.Access point (browser); XenMobileXenMobile
27000Default port used for accessing the external Citrix License Server.XenMobileCitrix License Server
7279Default port used for checking Citrix licenses in and out.XenMobileCitrix Vendor Daemon
161Used for SNMP traffic using UDP protocol.SNMP ManagerXenMobile
162Used for sending SNMP trap alerts to the SNMP manager from XenMobile. The source is XenMobile and the destination is the SNMP Manager.XenMobileSNMP Manager

Open XenMobile ports to manage devices

Open the following ports to allow XenMobile to communicate in your network.

TCP portDescriptionSourceDestination
25Default SMTP port for the XenMobile notification service. If your SMTP server uses a different port, ensure that your firewall does not block that port.XenMobileSMTP server
80 and 443Enterprise App Store connection to Apple iTunes App Store or Google Play (must use 80). Used for Apple volume purchase. Used for publishing apps from the app stores from iOS or Secure Hub for Android.XenMobileax.apps.apple.com and *.mzstatic.com; vpp.itunes.apple.com; login.live.com; *.notify.windows.com; play.google.com, android.clients.google.com, android.l.google.com
80 or 443Used for outbound connections between XenMobile and Nexmo SMS Notification Relay.XenMobileNexmo SMS Relay Server
389Used for insecure LDAP connections.XenMobileLDAP authentication server or Active Directory
443Used for enrollment and agent setup for Android.InternetXenMobile
443Used for enrollment and agent setup for Android and Windows devices and the MDM Remote Support Client.Internet LAN and Wi-FiXenMobile
1433Used by default for connections to a remote database server (optional).XenMobileSQL Server
443 or 2197Used to send APNs notifications to *.push.apple.comXenMobileInternet (APNs hosts using the public IP address 17.0.0.0/8
5223Used for APNs outbound connections from iOS devices to *.push.apple.com.iOS devicesInternet (APNs hosts using the public IP address 17.0.0.0/8)
8081Used for app tunnels from the optional MDM Remote Support Client. Defaults to 8081.Remote Support ClientXenMobile
8443Used for enrollment of iOS devices.Internet; LAN and Wi-FiXenMobile

Port requirement for AutoDiscovery service connectivity

This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix AutoDiscovery Service (ADS) from within the internal network. You need access to ADS to download security updates made available through the ADS.

Note:

ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, do the following prerequisites:

  • Collect XenMobile Server and Citrix ADC certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening up ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android or iOS, open port 443 for the following FQDN:

FQDNPortIP and port usage
discovery.cem.cloud.us443Secure Hub - ADS Communication via CloudFront

For information on supported IP addresses, see Cloud-based storage centers from AWS.

Android Enterprise network requirements

For information about the outbound connections to consider when setting up network environments for Android Enterprise, see the Google support article, Android Enterprise Network Requirements.

Port requirements for XenMobile

The following destination hosts must be reachable from the network to create a Managed Google Play Enterprise and to access the ​Managed Google Play iFrame​. Google made the Managed Play iFrame available to EMM developers to simplify search and approval of apps. In order to use the Managed Play iFrame, the browser from which you access the XenMobile console must have access to Google Play.

Destination hostPortDescription
play.google.comTCP/443Used for Google Play store, Play Enterprise sign-up
*.googleapis.comTCP/443Used for Google Mobile Management, Google APIs, Google Play store APIs
accounts.youtube.com, accounts.google.comTCP/443Used for the account authentication
apis.google.comTCP/443Used for GCM and other Google web services
ogs.google.comTCP/443Used for iFrame UI elements
notifications.google.comTCP/443Used for desktop and mobile notifications
fonts.googleapis.com, *.gstatic.com, *.googleusercontent.comTCP/443Used for Google Fonts user generated content. For example, the app icons in the store
cri.pki.goog, ocsp.pki.googTCP/443Used for the certificate validation

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:91 次

字数:16150

最后编辑:8 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文