One of the main reasons Citrix MetaFrame is deployed in most organizations is that it provides the capability to access your office applications from anywhere in the world with an Internet connection. This service, however, comes at a cost, as you now have to protect your environment from malicious users who would want nothing more than an opportunity to wreak havoc on your network.
Firewalls are deployed to protect you from potential users who will be using the Internet as their vehicle of penetration into your servers. A firewall governs what type of data is exchanged between the outside and inside networks. For this reason, it is important to know what ports would need to be opened to allow ICA traffic in and out of your network. These ports are also useful because many times organizations even deploy firewalls internally to create layers of security.
The ports used in a Citrix MetaFrame Presentation Server environment are as follows:
- 1494—An ICA session is established and maintained over this TCP port. Knowing whether clients are connecting from outside the network or inside this port is necessary for ICA traffic between clients and servers.
- 80—The Citrix XML Service is used by ICA clients to query MPS servers for published applications.
- 2512—Server-to-server communications are exchanged over TCP port 2512.
- 2513—The Management Console uses this TCP port to plug into the IMA.
- 1604—UDP is usually enabled if the MPS server is used in interoperability mode or mixed mode, which means there are MetaFrame 1.8 servers in the farm. It is used by ICA clients to broadcast a query to find the Master ICA Browser.
- 443—Secure Sockets Layer (SSL) Relay is used to secure communications between the Web Interface server (formerly NFuse) and MPS servers.
- 139, 1433, 443—MPS servers use these ports to communicate with Microsoft SQL or Oracle databases hosting the Data Store.