I had a few extra cycles this week, and I figured I had better get this second blog completed before I start four straight weeks of travel on a Hyper-V R2 XenDesktop project. Similar to my previous blog Changing XenDesktop Ports – Core Farm Ports, I have once again set the new port number to 5555 or 55555 (since on the first screen below two different port settings exist) in the examples to help you easily identify what is being changed. (Clearly, these are not the recommended port settings, you need to find ones that work in your environment.)
In this blog I cover changing ports for some of the key supporting technologies for XenDesktop, including Provisioning Services, XenDesktop Setup Wizard, EdgeSight, Single Sign-on (Password Manager), and the License Server. For some of these technologies I was able to find Citrix KB articles that describe how to make the changes. In those instances, I have referenced the KB articles rather than re-hash the content here.
Enough said, let’s get down to the topic at hand….
Provisioning services has several different communication ports that are configurable, including the SOAP service, the management services, and target device communication. One thing I particularly like about this product is that all of the ports can easily be changed without much difficulty through the user interface and some can even be changed through the MCLI command-line interface (examples are provided where available). Provisioning Services is extremely network-oriented using a variety of ports to support the SOAP Service, Server-to-Server communication, Inbound device communication, Device booting, Outbound device communication, and Licensing.
SOAP Service (Used by Console and XenDesktop Setup Wizard)
The Provisioning Services 5.1 console by default uses TCP ports 54321-54322 (prior versions used ports 8000-8001) for communication with the SOAP service. The administrator can only specify the first port then the system will automatically use the next sequential number (xxxx+1) for the other communication port, so when specifying a new port number, provide a port where both ports are available.
I don’t particularly have an opinion on changing this port, but keep in mind if you plan on using the XenDesktop Setup Wizard you will also need to make the change I explain below so it can communicate with the SOAP service. To change the SOAP service port number, start the Provisioning Services Configuration Wizard and navigate to the Stream Services dialog box as shown below. When you complete the wizard and the services restart, the change will be in effect.
Server-to-Server Communication (Management Service ports)
The management service Ports are specified on the same Stream Services dialog as the SOAP service and default to UDP ports 6905 – 6909. These ports use MAPI to provide the server-to-server communication. Keep in mind that there should be at least ports in this range and all servers in the farm must have the same range of ports configured.
I personally do not recommend changing these ports for the sole reason that if you do you must remember to make the same change on all the provisioning servers in the farm including future servers you add. However, we have a UI for it therefore I will explain how to make the change. Start the Provisioning Services Configuration wizard and navigate to the Stream services dialog as shown below. As before, once the wizard completes and the services restart, the change will be in effect.
Inbound Device Communication
Each provisioning server maintains a range of UDP ports used to manage all inbound communications from target devices. The default port range 21 ports starting at 6910. If you are planning on supporting a large number of target devices from the provisioning server, then you will probably want to adjust this port range. Before setting the range, it is probably a good idea to run netstat and verify none of the ports in the range are currently in use on the host. This setting also applies to all network cards installed in the provisioning server. So, if you had two network cards in the server and set the range of ports to 21, you would actually have 42 ports available for inbound connections.
Ideally, you should have one thread on the provisioning server for each target device if you have enough server cores to support it. By default, the provisioning server assigns 8 threads per port (configured by clicking the Advanced… button on the Network tab of the Server Properties dialog shown below) which means that with the recommended dual-nic configuration and the defaults for threads and ports the ideal load for the server will be about 336 (8*21*2) target devices.
Of course, a single thread can manage more than one target device and in most installations this is the case. However, if your server has the CPU cycles and memory available, I recommend modifying either the threads/port setting or the number of ports to bring the server up to ideal of one thread per port. To reach the ideal, you can choose to increase the threads, increase the ports, add more nics, or do a combination of all three. A single 1 GB network interface card, ideally configured with one thread per target device should support around 500 target desktops.
Once you have figured out the right amount of ports to support the number of target devices, you can open the Provisioning Services Console and right-click on the server and choose Properties from the context menu and select the Network tab. The inbound communication ports for that server shown in the server properties dialog displayed below.
If you don’t want to access the console to make the change, you can leverage the MCLI command shown below (assuming the provisioning server name is PVS1) to change the port settings. The second command is used to restart the stream services so the changes will be applied.
MCLI Set Server -p serverName="PVS1" -r firstport=5555 lastport=5585
MCLI Run restartStreamService -p serverName="PVS1"
The range of ports specified is specific to that server and could be different for every server in the farm. However, Citrix recommends keeping the same range of ports on all the servers for simplicity and for booting, discussed in the next session. If the lower number (first port) is modified on any server acting as a bootstap server, you will need to adjust the bootstrap settings as well.
The default UDP port for device booting is 6910, which also happens to be the default lower bound of the inbound device port communication discussed above. At least one server specified in the bootstrap must have the same lower bound port number or the clients will not be able boot. Therefore, if you change the lower bound number on any servers that are configured as bootstap servers, you will need to change the bootstrap configuration as well. If you don’t change the lower bound number for the inbound device ports, this can be left alone.
The bootstrap can be changed from either the Provisioning Services console or in the Provisioning Services Configuration Wizard. From the console, right-click the server and choose “Configure Bootstrap…” from the context menu or in start Configuration Wizard and navigate to the Stream Servers Boot List dialog as shown below.
This configuration can also be changed using the MCLI commands below. As indicated earlier, the first command makes the change, the second command restarts the stream service so the changes will be applied.
MCLI Set serverBootStrap -p serverName="PVS1" name="ARDBP32.BIN" -r bootserver1_Port=5555
MCLI Run restartStreamService -p serverName="PVS1"
Outbound Device Communication
The default UDP Source port 6901 is used by the target device for communication to the provisioning server. I have had one customer where this port had to be changed because a software program on the vDisk was using this particular port. The setting is set per target device. To change it the setting, open the Provisioning Services console and right-click on the target device. Choose Properties from the context menu and set the new port number.
This setting can also be set through the command-line interface. Use the following MCLI command to accomplish the same change as indicated in the dialog box above:
MCLI Set Device -p deviceName="wxpsp3_1" -r port=5555
If you have changed the port on the Citrix Licensing Server, you can change it in the Farm Properties dialog from the Provisioning Service Console. To do this, right-click on the provisioning services farm name and choose Properties, then select the Licensing tab.
Alternatively, you can execute the same change with the following MCLI command:
MCLI set farm -r licenseServerPort=55555
XenDesktop Setup Wizard
If you change the Provisioning Services SOAP service ports as discussed above, you will need to modify the \Program Files\Citrix\XenDesktop Setup Wizard\SetupToolApplication.exe.config file with the correct port numbers so the XenDesktop Setup Wizard will know what ports to find the API on. The easiest way to make the change is to edit the file with Notepad and find the following two lines and modify them to have the correct port numbers.
Following the example above where I moved the SOAP service to ports to 55555 and 55556, the lines would look like this:
When the changes have been completed, save the configuration file and then restart the XenDesktop Setup Wizard.
During the install of EdgeSight, the database communication ports could be changed if the SQL Server is running on a different port. These changes are handled during the install by clicking the “Client Configuration” button on the Database dialog. Since this procedure is similar to changing the database for XenDesktop, I will refer you to the Database section of the Changing XenDesktop Ports – Core Farm Ports blog posted earlier this month.
The EdgeSight server runs a web service that is used both for administration and for agent data upload. The web service usually runs over standard HTTP/S ports 80/443. The web services port can be changed, though it is not recommended when EdgeSight agents have already been deployed, because it will require that each EdgeSight agent be modified to use the new port number through the local Add/Remove Programs applet. If you want to change the web server port, follow the instructions found in CTX118848.
Real-time communication directly with the EdgeSight agent database occurs over TCP port 9035 and this port cannot be changed.
Single Sign-on (Password Manager)
The Password Manager Service is the only component in Single Sign-on that has a configurable port value. The Password Manager Service leverages the XTE engine and is configured during the initial install. The port for the service can be changed at anytime by re-running the Service Configuration tool. The port configuration is on the opening page.
Keep in mind that if you modify this port from 443, you will need to include the new port number on the service URL (https://ctx1.ctxs.local:5555/MPMService) for all single sign-on settings that use the service, such as Key Recovery, Data Integrity, and Account Self-Service.
Finally, the Citrix License server uses two ports for communication. The first is the general inbound license server port which is 27000. The second is the vendor daemon port, which now is automatically configured for 7279. Normally, these ports are sufficient for most installations. If you wish to change the ports detailed instructions can be found in CTX118367. I would not change these ports unless it was necessary in the environment.
Well that concludes today’s posting I hope you found the information useful. If you would like to be notified of future blogs, feel free to follow me on Twitter @pwilson98.