Provisioning Server and Firewalls

By Aaron Silber:

Provisioning Server is here to stay and I think we can all agree that this is a great thing. Recently while installing a new environment I started to run into a few issues which I immediately realized was a Firewall issue. The system was configured using Windows 2008, so I immediately went to look at the configuration, and like a good consultant was about to turn it off, when the client says to me, we use the Windows Firewall and it must stay on! The nerve, right? I know, I agree!

In any case, I now had to actually look into what needed to be open to make this work which doesn’t sound too difficult, look up the Citrix Doc, get the port numbers, create a rule and I’m done. Problem is that depending on what version of Provisioning Server you are using determines which ports you need to open as they changed it in 5.6 and I found references to different ports in three different documents from Citrix. In the end, there was no single document that had all of the ports listed.

There is a nice document from Citrix on ports used by Citrix Technologies, sounds pretty complete, but is definitely missing some, like 6969, which is listed on this page: https://support.citrix.com/article/CTX125744 and is used for the TSB; anyone care to guess what that one is? (no peeking!)

In order to save everyone from what I went through tracking this down, I present to you a script which when run will modify the Provisioning Server firewall with all of the ports necessary to make Provisioning Server work. It uses the NETSH (A very powerful command indeed) to add in the rules and even includes the description pulled from the various Citrix documents.

Enjoy and feel free to comment.

Aaron

@Echo Off

ECHO.
ECHO This script will modify the Firewall with rules necessary for proper Provisioning Server Communication
Echo.
Pause

netsh advfirewall firewall add rule name="Citrix (DHCP,PXE)" description="The DHCP server will offer an IP address to the target server. The DHCP server also offers other parameters, including: Option 60: PXE Client Address" protocol=UDP profile=domain,private,public dir=in localport=67,68 action=allow

netsh advfirewall firewall add rule name="Citrix (PXE Server)" description="The Target server will make a request to the PXE server for startup information. The PXE server will respond with Option 66: Boot Server Host Name Option 67: Bootfile Name" protocol=UDP profile=domain,private,public dir=in localport=67,4011 action=allow

netsh advfirewall firewall add rule name="Citrix (TFTP Server)" description="The target server will use the information sent back from the DHCP server to obtain the bootfile. Once the target server obtains the bootfile from the TFTP server, it launches the file, which allows the target server to begin the boot process. The bootfile contains information about contacting Provisioning Services." protocol=UDP profile=domain,private,public dir=in localport=69 action=allow

netsh advfirewall firewall add rule name="Citrix (Stream Service)" description="The target server contacts Provisioning Services requesting a vDisk." protocol=UDP profile=domain,private,public dir=in localport=6910-6930 action=allow

netsh advfirewall firewall add rule name="Citrix (License Server)" description="When the target server is online, Provisioning Services contacts the License Server to obtain a connection license." protocol=TCP profile=domain,private,public dir=in localport=27000 action=allow

netsh advfirewall firewall add rule name="Citrix (Console Communication)" description="This port allows the provisioning Server to connect to the PVS Farm." protocol=TCP profile=domain,private,public dir=in localport=54321-54322 action=allow

netsh advfirewall firewall add rule name="Citrix (Provisioning Server Farm Communication)" description="This port allows the operating system to be streamed to the targets." protocol=UDP profile=domain,private,public dir=in localport=6890-6909 action=allow

netsh advfirewall firewall add rule name="Citrix (TSB)" description="This Port is used in the boot-up process" protocol=UDP profile=domain,private,public dir=in localport=6969 action=allow

netsh advfirewall firewall add rule name="Citrix (Write Cache Communication)" description="This is for communincations between the target and the write cache" protocol=UDP profile=domain,private,public dir=in localport=10802-10803 action=allow
TAGS