Sunday, June 13, 2010

XenDesktop 4 Provisioning Services Firewall Rules

A couple of weeks ago Citrix released Provisioning Services 5.6, which is a component of their XenDesktop 4.0 suite. Provisioning services is supported on Windows Server 2008 and Windows Server 2008 R2, however it does not automatically add firewall rules. In fact, when you configure provisioning services it tells you to either disable the firewall (not smart!) or manually configure the rules. Personally I think it should automatically configure the rules since it's not rocket science.

Until Citrix automates the firewall rule creation process, I wrote a little script that opens all of the Citrix default ports to support PXE, TFTP, SOAP, and the streaming services. Of course if you change the default ports or installation paths, you will need to tweak the script.

Unfortunately the commands are pretty long so they will line wrap. Just paste these into a .cmd file and run them from a command prompt. If you want to increase the security of your server, you can limit the remote IPs to particular IPs or subnets that will be accessing these services.

--
@echo off
:: Configures Windows Server 2008/R2 firewall for Citrix Provisioning Services.
:: Includes PXE and TFTP services.

Echo Configuring Windows Advanced Firewall for Citrix Provisioning services.

netsh advfirewall firewall add rule name="Citrix PXE Services (UDP-in)" dir=in action=allow protocol=UDP Profile=domain localport=67,4011 program="%ProgramFiles%\Citrix\Provisioning Services\BNPXE.exe" description="Allows inbound PXE boot connections."

netsh advfirewall firewall add rule name="Citrix TFTP Services (UDP-in)" dir=in action=allow protocol=UDP Profile=domain localport=69 program="%ProgramFiles%\Citrix\Provisioning Services\BNTFTP.exe" description="Allows inbound TFTP connections."

netsh advfirewall firewall add rule name="Citrix SOAP Services (TCP-in)" dir=in action=allow protocol=TCP Profile=domain localport=54321,54322 program="%ProgramFiles%\Citrix\Provisioning Services\SoapServer.exe" description="Allows inbound SOAP connections."

netsh advfirewall firewall add rule name="Citrix Streaming Services (UDP-in)" dir=in action=allow protocol=UDP Profile=domain localport=6905-6930,10802-10803 program="%ProgramFiles%\Citrix\Provisioning Services\streamprocess.exe" description="Allows inbound Citrix Streaming connections."

---
After you run the script if you look in the Windows Advanced inbound firewall you should now see the following rules created.


at

1 comment:

  1. jaysenApril 21, 2011 at 9:58 AM

    Also, I found if you are two stage booting physical machines from a provisioning server, you'll need an additional rule for UDP 6969 see the following shortened CTX article link: http://goo.gl/wgDoQ

    ReplyDelete