Professional Documents
Culture Documents
CTX113250
Information
This article provides examples of different port configurations with the NetScaler Gateway.
The preceding diagram shows an example of a NetScaler Gateway configuration that involves a Single DMZ accessing Web
Interface, the Secure Ticketing Authority (STA) and Presentation Server over ports 1494 and 2598 using Common Gateway Protocol
(CGP).
Notes:
Firewall 2 Internal Network (ports 80, 443, 1494, and 2598) - Web Interface, STA XML Service, and Presentation Server
http://support.citrix.com/article/CTX113250 1/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup
3. NetScaler Gateway returns the Web Interface logon page to the user.
4. The user enters credentials into the Web Interface authentication form and clicks log in.
6. Web Interface takes the credentials and negotiates with the XML Service.
7. The XML Service returns the list of applications to the Web Interface page.
8. Web Interface constructs the appropriate page and responds to NetScaler Gateway.
10. The user clicks an application, and launches the Presentation Server Client.
11. NetScaler Gateway receives an STA ticket from the Presentation Server Client to validate.
12. NetScaler Gateway presents the STA ticket to the STA server.
14. If the STA authorizes the ticket, NetScaler Gateway consults the ICA Access Control List (ACL) to validate whether the incoming
ICA connection conforms with the listed ACLs.
NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 1 – Portal Page Authentication OFF Single
Notes:
Firewall 1 DMZ1
Firewall 2 DMZ2
NetScaler Gateway 1 can access Web Interface and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access the STA and
Presentation Server directly.
http://support.citrix.com/article/CTX113250 2/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup
3. NetScaler Gateway 1 returns the Web Interface logon page to the user.
4. The user enters credentials into the Web Interface authentication form and clicks log in.
6. Web Interface takes the credentials and negotiates with the XML Service.
8. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.
10. The user clicks an application, then launches the Presentation Server Client.
11. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.
12. NetScaler Gateway 1 proxies through NetScaler Gateway2 to reach the STA server.
15. If the STA authorizes the request, NetScaler Gateway 1 consults the ICA ACL list to validate whether the incoming ICA
connection conforms with the listed ACLs.
Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with
NetScaler Gateway 1.
Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic.
Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and NetScaler
Gateway 2 is SOCKS or SOCKS over SSL.
Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open
port 1494 or 2598 or both for ICA/CGP traffic between NetScaler Gateway 2 and the Presentation Server.
Note: Ports are always configurable. The preceding are based on the default protocol port numbers.
NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 2 – Portal Page Authentication ON; Single
NetScaler Gateway in each DMZ
http://support.citrix.com/article/CTX113250 3/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup
Notes:
NetScaler Gateway 1 can access Web Interface, the Authentication, Authorization, and Accounting (AAA) server and NetScaler
Gateway 2 directly. NetScaler Gateway 2 can access the STA and Presentation Server directly.
The user is authenticated by the AAA server and then redirected to Web Interface. Web Interface might ask for logon
authentication again.
2. NetScaler Gateway 1 gathers credentials from the user and validates them against the authentication server.
3. If the authentication is acceptable, NetScaler Gateway 1 logs the user on to Web Interface using Single Sign-on (SSO).
4. Web Interface takes the credentials and negotiates with the XML Service.
6. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.
8. The user clicks an application, then launches the Presentation Server Client.
9. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.
10. NetScaler Gateway 1 proxies through NetScaler Gateway 2 to reach the STA server.
13. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA
connection conforms to the listed ACLs.
Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with
NetScaler Gateway 1.
Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic.
Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and NetScaler
Gateway 2 is SOCKS or SOCKS over SSL. Open port used for portal page authentication (for example,1812 for RADIUS).
http://support.citrix.com/article/CTX113250 4/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup
Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open
port 1494 or 2598 or both for ICA/CGP traffic between NetScaler Gateway 2 and the Presentation Server.
Note: Ports are always configurable. The preceding are based on the default protocol port numbers.
NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 3 – Portal Page Authentication OFF; Multiple
NetScaler Gateways in second DMZ
Notes:
NetScaler Gateway 1 can access Web Interface and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access STA and
Presentation Server directly.
Configure a Load Balancing virtual server in NetScaler Gateway 1 and point the next hop to this Load Balancing virtual server.
SOCKS handshake occurs inside NetScaler Gateway 1.
3. NetScaler Gateway 1 returns the Web Interface logon page to the user.
4. The user enters credentials into the Web Interface authentication form and clicks Log in.
6. Web Interface takes the credentials and negotiates with the XML Service.
8. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.
10. The user clicks an application, then launches the Presentation Server Client.
11. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.
12. NetScaler Gateway 1 decides (based on round-robin algorithm) which NetScaler Gateway Proxy it will use and proxies through
that appliance to reach the STA server.
http://support.citrix.com/article/CTX113250 5/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup
14. The appropriate NetScaler Gateway Proxy forwards the response to NetScaler Gateway 1.
15. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA
connection conforms to the listed ACLs.
Firewall 1: Open port 443 (SSL port) for the end user browser and the Presentation Server Client to communicate with
NetScaler Gateway 1.
Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic.
Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and the
NetScaler Gateway proxies is SOCKS or SOCKS over SSL.
Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open
port 1494 or 2598 or both for ICA/CGP traffic between the NetScaler Gateway proxies and the server running Presentation
Server.
Note: Ports are always configurable. The above is based on the default protocol port numbers.
NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 4 – Portal Page Authentication ON; Multiple
NetScaler Gateways in Second DMZ
Notes:
NetScaler Gateway 1 can access Web Interface, the AAA server, and NetScaler Gateway 2 directly. NetScaler Gateway 2 can
access the STA and Presentation Server directly.
The user is authenticated by the AAA server and then redirected to Web Interface. Web Interface might ask for logon
authentication again.
2. NetScaler Gateway 1 gathers credentials from the user and validates them against the authentication server.
3. If authentication is acceptable, NetScaler Gateway 1 signs the user on to Web Interface using SSO.
4. Web Interface takes the credentials and negotiates with the XML Service.
6. Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.
http://support.citrix.com/article/CTX113250 6/7
12.11.2015 Required Ports for Citrix NetScaler Gateway in DMZ Setup
8. The user clicks an application, then launches the Presentation Server Client.
9. NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.
10. NetScaler Gateway 1 decides (based on round-robin algorithm) which NetScaler Gateway Proxy uses and proxies through that
appliance to reach the STA server.
12. The appropriate NetScaler Gateway Proxy forwards the response to NetScaler Gateway 1.
13. If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA
connection conforms to the listed ACLs.
Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with
NetScaler Gateway 1.
Firewall 2: Open port 80 or 443 depending on whether Web Interface is listening for insecure traffic or secure traffic.
Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and the
NetScaler Gateway proxies is SOCKS or SOCKS over SSL. Open the port used for portal page authentication (for
example,1812 for RADIUS).
Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open
port 1494 or 2598 or both for ICA/CGP traffic between the NetScaler Gateway proxies and the server running Presentation
Server.
Note: Ports are always configurable. The preceding are based on the default protocol port numbers.
Additional Resources
Applicable Products
NetScaler Gateway 10.1
Access Gateway 10
http://support.citrix.com/article/CTX113250 7/7