12.11.

2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup

CTX113250

Required Ports for Citrix NetScaler Gateway in DMZ Setup

Article | Configuration, Networking | Created: 12 May 2014 | Modified: 24 Jul 2015 Languages English

Information
This article provides examples of different port configurations with the NetScaler Gateway.

NetScaler Gateway: Secure Gateway Single DMZ

The preceding diagram shows an example of a NetScaler Gateway configuration that involves a Single DMZ accessing Web
Interface, the Secure Ticketing Authority (STA) and Presentation Server over ports 1494 and 2598 using Common Gateway Protocol
(CGP).

Notes:

Firewall 1 DMZ (port 443) - Internet user through NetScaler Gateway

Firewall 2 Internal Network (ports 80, 443, 1494, and 2598) - Web Interface, STA XML Service, and Presentation Server

Port 1494 for ICA, port 2598 for CGP

The following list explains the flow of the diagram:

1. The user points the browser to https://<NetScaler Gateway>.

http://support.citrix.com/article/CTX113250 1/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup

2. NetScaler Gateway retrieves the Web Interface logon page.

3. NetScaler Gateway returns the Web Interface logon page to the user.

4. The user enters credentials into the Web Interface authentication form and clicks log in.

5. NetScaler Gateway forwards the HTTP-POST credentials to Web Interface.

6. Web Interface takes the credentials and negotiates with the XML Service.

7. The XML Service returns the list of applications to the Web Interface page.

8. Web Interface constructs the appropriate page and responds to NetScaler Gateway. 

9. NetScaler Gateway returns the resultant page to the user.

10. The user clicks an application, and launches the Presentation Server Client.

11. NetScaler Gateway receives an STA ticket from the Presentation Server Client to validate.

12. NetScaler Gateway presents the STA ticket to the STA server.

13. The STA server responds to the request.

14. If the STA authorizes the ticket, NetScaler Gateway consults the ICA Access Control List (ACL) to validate whether the incoming
ICA connection conforms with the listed ACLs.

NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 1 – Portal Page Authentication OFF Single

NetScaler Gateway in each DMZ

Notes:

Firewall 1 DMZ1

Firewall 2 DMZ2

Firewall 3 Internal Network

NetScaler Gateway 1 can access Web Interface and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access the STA and
Presentation Server directly.

Port 1080 for SOCKS protocol

http://support.citrix.com/article/CTX113250 2/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup

The following list explains the flow of the diagram:

1. The user points the browser at https://<NetScaler Gateway in DMZ 1>.

2. NetScaler Gateway 1 retrieves the Web Interface logon page.

3. NetScaler Gateway 1 returns the Web Interface logon page to the user.

4. The user enters credentials into the Web Interface authentication form and clicks log in.

5. NetScaler Gateway 1 forwards the HTTP-POST credentials to Web Interface.

6. Web Interface takes the credentials and negotiates with the XML Service.

7. The XML Service returns the list of applications to Web Interface.

8. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1. 

9. NetScaler Gateway 1 returns the resultant page to the user.

10. The user clicks an application, then launches the Presentation Server Client.

11. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.

12. NetScaler Gateway 1 proxies through NetScaler Gateway2 to reach the STA server.

13. The STA server responds to the request.

14. NetScaler Gateway 2 forwards the response to NetScaler Gateway 1.

15. If the STA authorizes the request, NetScaler Gateway 1 consults the ICA ACL list to validate whether the incoming ICA
connection conforms with the listed ACLs.

Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with
NetScaler Gateway 1.

Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic.
Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and NetScaler
Gateway 2 is SOCKS or SOCKS over SSL.

Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open
port 1494 or 2598 or both for ICA/CGP traffic between NetScaler Gateway 2 and the Presentation Server.

Note: Ports are always configurable. The preceding are based on the default protocol port numbers.

NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 2 – Portal Page Authentication ON; Single
NetScaler Gateway in each DMZ

http://support.citrix.com/article/CTX113250 3/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup

Notes:

NetScaler Gateway 1 can access Web Interface, the Authentication, Authorization, and Accounting (AAA) server and NetScaler
Gateway 2 directly. NetScaler Gateway 2 can access the STA and Presentation Server directly.

The user is authenticated by the AAA server and then redirected to Web Interface. Web Interface might ask for logon
authentication again.

The following list explains the flow of the diagram:

1. The user points the browser to https://<NetScaler Gateway in DMZ 1>.

2. NetScaler Gateway 1 gathers credentials from the user and validates them against the authentication server.

3. If the authentication is acceptable, NetScaler Gateway 1 logs the user on to Web Interface using Single Sign-on (SSO).

4. Web Interface takes the credentials and negotiates with the XML Service.

5. The XML Service returns a list of applications to Web Interface.

6. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1. 

7. NetScaler Gateway 1 returns the resultant page to the user.

8. The user clicks an application, then launches the Presentation Server Client.

9. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.

10. NetScaler Gateway 1 proxies through NetScaler Gateway 2 to reach the STA server.

11. The STA server responds.

12. NetScaler Gateway 2 forwards the response to NetScaler Gateway 1.

13. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA
connection conforms to the listed ACLs.

Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with
NetScaler Gateway 1.

Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic.
Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and NetScaler
Gateway 2 is SOCKS or SOCKS over SSL. Open port used for portal page authentication (for example,1812 for RADIUS).

http://support.citrix.com/article/CTX113250 4/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup

Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open
port 1494 or 2598 or both for ICA/CGP traffic between NetScaler Gateway 2 and the Presentation Server.

Note: Ports are always configurable. The preceding are based on the default protocol port numbers.

NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 3 – Portal Page Authentication OFF; Multiple
NetScaler Gateways in second DMZ

Notes:

NetScaler Gateway 1 can access Web Interface and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access STA and
Presentation Server directly.

Configure a Load Balancing virtual server in NetScaler Gateway 1 and point the next hop to this Load Balancing virtual server.
SOCKS handshake occurs inside NetScaler Gateway 1.

The following list explains the flow of the diagram:

1. The user points the browser at https://<NetScaler Gateway in DMZ 1>.

2. NetScaler Gateway 1 retrieves the Web Interface logon page.

3. NetScaler Gateway 1 returns the Web Interface logon page to the user.

4. The user enters credentials into the Web Interface authentication form and clicks Log in.

5. NetScaler Gateway 1 forwards the HTTP-POST credentials to Web Interface.

6. Web Interface takes the credentials and negotiates with the XML Service.

7. The XML Service returns the list of applications to Web Interface.

8. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1. 

9. NetScaler Gateway 1 returns the resultant page to the user.

10. The user clicks an application, then launches the Presentation Server Client.

11. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.

12. NetScaler Gateway 1 decides (based on round-robin algorithm) which NetScaler Gateway Proxy it will use and proxies through
that appliance to reach the STA server.

13. The STA server responds.

http://support.citrix.com/article/CTX113250 5/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup

14. The appropriate NetScaler Gateway Proxy forwards the response to NetScaler Gateway 1.

15. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA
connection conforms to the listed ACLs.

Firewall 1: Open port 443 (SSL port) for the end user browser and the Presentation Server Client to communicate with
NetScaler Gateway 1.

Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic.
Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and the
NetScaler Gateway proxies is SOCKS or SOCKS over SSL.

Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open
port 1494 or 2598 or both for ICA/CGP traffic between the NetScaler Gateway proxies and the server running Presentation
Server.

Note: Ports are always configurable. The above is based on the default protocol port numbers.

NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 4 – Portal Page Authentication ON; Multiple
NetScaler Gateways in Second DMZ

Notes:

NetScaler Gateway 1 can access Web Interface, the AAA server, and NetScaler Gateway 2 directly. NetScaler Gateway 2 can
access the STA and Presentation Server directly.

The user is authenticated by the AAA server and then redirected to Web Interface. Web Interface might ask for logon
authentication again.

The following list explains the flow of the diagram:

1. The user points the browser at https://<NetScaler Gateway in DMZ 1>.

2. NetScaler Gateway 1 gathers credentials from the user and validates them against the authentication server.

3. If authentication is acceptable, NetScaler Gateway 1 signs the user on to Web Interface using SSO.

4. Web Interface takes the credentials and negotiates with the XML Service.

5. The XML Service returns a list of applications to Web Interface.

6. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1. 

http://support.citrix.com/article/CTX113250 6/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup

7. NetScaler Gateway 1 returns the resultant page to the user.

8. The user clicks an application, then launches the Presentation Server Client.

9. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.

10. NetScaler Gateway 1 decides (based on round-robin algorithm) which NetScaler Gateway Proxy uses and proxies through that
appliance to reach the STA server.

11. The STA server responds.

12. The appropriate NetScaler Gateway Proxy forwards the response to NetScaler Gateway 1.

13. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA
connection conforms to the listed ACLs.

Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with
NetScaler Gateway 1.

Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic.
Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and the
NetScaler Gateway proxies is SOCKS or SOCKS over SSL. Open the port used for portal page authentication (for
example,1812 for RADIUS).

Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open
port 1494 or 2598 or both for ICA/CGP traffic between the NetScaler Gateway proxies and the server running Presentation
Server.

Note: Ports are always configurable. The preceding are based on the default protocol port numbers.

Additional Resources

CTX114355 - NetScaler Gateway Configuration of Ports on Firewall

Applicable Products
NetScaler Gateway 10.1

Access Gateway 10

NetScaler Gateway 10.5

NetScaler Gateway 11.0

Join the conversation Open a case

CITRIX D ISCUSSIO NS CITRIX SUPPO RT

http://support.citrix.com/article/CTX113250 7/7