Recently several customers and integrators have asked me about the ports used by XenDesktop and whether or not Citrix recommends changing them. Since the ports used by Citrix products are well documented in CTX101810, I will leave that topic alone. However, in this blog I will provide some guidance around the ports you can change, where the change can be made, and whether it is a good idea to do so. Like any good news story, the information is provided in order of relevance.
Due to the amount of content, I have decided to break this blog into multiple parts, starting with the core XenDesktop farm ports. I will tackle the supporting technologies like Provisioning Services and the XenDesktop Setup Wizard later.
Note: To make the port number change obvious I have used 5555 in all the screen shots below. Clearly, bad things would happen if you set all the components to the same port value.
The VDA communication is actually two one-way communications between the Citrix Desktop Delivery Controller Service running on the Desktop Delivery Controller (DDC) and the Citrix Desktop Service running on the desktop. The significance of that statement is that the two ports can be set independently and do not have to be the same. To confuse this more, the default for both ports happens to be port 8080 which is the default for the Microsoft Windows Communication Foundation (WCF) services used by XenDesktop. Since port 8080 is used by other services, such as internet proxies or McAfee, I highly recommend changing this port on both sides of the communication.
Desktop Delivery Controller WCF Port
During the install of the DDC, the WCF port for the Citrix Desktop Delivery Controller Service is automatically set to 8080 and cannot be changed. To change the port, wait until after the installation is complete. Unfortunately, you cannot change this directly from the Add/Remove Programs Control Panel. Instead, you need to run the DDCServices.msi package from the installation media. Choose Modify, click Next, and then set the new port number. Click Next then Install to finish the wizard. I recommend rebooting the server after this change. The screen sequence is shown below.
Now, some readers may wonder if the DDC inbound port needs to be the same on all farm servers. The answer is it depends on whether you are using Active Directory for discovery or the optional registry-based discovery model. If you are using AD, the port number can be different, because each controller will store their WCF port number in the SCP object of Active Directory. However, if you are using on the registry-based discovery model, all the controllers must share the same port number because only one port number can be specified in the registry.
Virtual Desktop Agent WCF Port
Changing the WCF port on the Virtual Desktop Agent side can be done either during the initial install or afterwards using the Add/Remove Programs control panel applet. To change it afterwards, open Add/Remove Programs, choose the “Change” option for the Citrix Virtual Desktop Agent, select Modify, click Next, click Next on the Custom Setup screen, enter the port number and then finish the wizard. The initial sequence looks similar to the DDC install and is shown below.
Although in the examples above I have set the ports to be the same for both components, this is not a requirement.
For security reasons, many institutions run SQL Server on a port other than 1433. If you are running the database on a different port, you can specify this information either during the setup by selecting the Client Configuration button on the ODBC setup screen and entering the new database port. Below are the screen shots for changing the ports during the installation for SQL Server.
Alternatively, you can directly edit the C:\Program Files\Citrix\Independent Management Architecture\MF20.DSN file that is used by the IMA service. For a SQL server, you would just add the line Address=servername,port to the file. Restart the Citrix Independent Management Service for the change to take effect. Below is a sample MF20.DSN file where I have specified a different tcp port for the SQL server.
Session reliability is another port that companies often modify to increase security for remote access. Unlike the ICA port number, this port can easily be changed by a setting in the Access Management Console. When session reliability is enabled, the ICA client tunnels its ICA traffic inside the Common Gateway Protocol (CGP) on the session reliability port. The XTE service will then unpack the ICA packets and forward them to the ICA listener port on the server. If you change the session reliability port, you cannot just stop and restart the IMA and XTE services instead you will need to reboot the server. The session reliability port can be changed in the farm properties as shown in the screen shot below:
Changing the port of the API communications is not recommended. However, if you have changed the inbound port for the API on VMWare Virtual Center or XenServer, you can configure XenDesktop by specifying the new port number on the location URL for the Access Management Console and the Setup Wizard as shown in the screen shot below.
Changing the IMA ports (2512/2513) used by the farm for communication is not recommended. The primary reason I do not recommend changing the IMA port numbers is because the vast majority of quality assurance testing is done with the default port numbers. However, if you feel so inclined, you can use the IMAPORT.EXE utility to set the IMA ports for the IMA service and CMC to different values. After running this utility, you will need to restart all the Citrix services or just reboot the server.
The XML Service port can be changed on the Desktop Delivery Controller. However, changing the XML service port is not recommended as there have been several reports of strange behaviors after changing it. If you must change the port number, you can use the CTXXMLSS.EXE command-line utility to do so and use the same XML service port for all DDCs in the farm.
That is all I have time for now. I hope to the have the next set of ports for the supporting technologies out by the end of the month. If you found this helpful and would like to be notified of future blogs postings, please follow me on twitter @pwilson98.