• Citrix XenApp 6.5 and UDP Port 1604

    While setting up a new Citrix XenApp 6.5 server for testing the Citrix Windows Firewall rules, I saw there was a rule for UDP Port 1604 created.  I thought maybe I did something wrong so I reverted back to a snapshot and reinstalled XenApp 6.5.  Again, I noticed that as soon as the XenApp 6.5 install was complete and before I started the configuration, the UDP Port 1604 Windows Firewall Rule was created.  I thought that UDP Port 1604 went away a long time ago so I reached out to a couple of current and former Citrites to find out.  Indeed UDP Port 1604 is no longer used or needed by any current version of XenApp.

    Why would you need to be concerned about UDP Port 1604?  Some security people believe anything UDP is bad and there are some claims on the Internet about evil things that will happen on your network if UDP Port 1604 is open. Of course we all know that everything you read on the Internet is true! J

    To verify that nothing in XenApp 6.5 uses UDP Port 1604, I used Microsoft’s Sysinternals ProcMon to monitor Network Activity (Figure 1).

    Figure 1
    Figure 1

    I tested several scenarios:

    • Adding an additional server to the farm,
    • Creating a Worker Group,
    • Creating, modifying and deleting Citrix farm policies,
    • Creating, modifying and deleting Citrix farm administrators,
    • Creating, modifying and deleting published resources,
    • Creating, modifying and deleting load evaluators and
    • Accessing published resources via Citrix Web Interface.

    I found nothing that used UDP Port 1604.

    There are two options available, either delete or disable the Windows Firewall Rule for UDP Port 1604.

    I, personally, would not delete the firewall rule as there is no audit trail available.  I prefer to leave a trail behind to show what has been done.  That leaves disabling the firewall rule.  There are two ways to disable the firewall rule, use the GUI or use the command line.

    To disable the firewall rule using the GUI, click Start, Control Panel, System and Security, Windows Firewall, Advanced settings and then Inbound Rules (Figure 2 through 6).

    Figure 2
    Figure 2
    Figure 3
    Figure 3
    Figure 4
    Figure 4
    Figure 5
    Figure 5
    Figure 6
    Figure 6

    Right-click the Inbound Rule named “Citrix IMA (UDP-In)” and select Disable Rule as shown in Figure 7.

    Figure 7
    Figure 7

    The Inbound Rule now shows that it is not Enabled (Figure 8).

    Figure 8
    Figure 8

    The checkmark icon changes from Green to Grey to also show the rule as not enabled.

    If you need to do this on a lot of XenApp 6.5 servers, using the GUI will be painfully inefficient.  Using the command line will simplify disabling the rule on many servers.  It took me a while to figure out the command to disable the rule, run the following from an elevated command prompt (Figure 9):

    netsh advfirewall firewall set rule name="Citrix IMA (UDP-In)" profile=any new enable=no
    Figure 9
    Figure 9

    In the GUI the rule shows as not Enabled (Figure 10).

    Figure 10
    Figure 10

    After disabling the firewall rule, I went through the same testing and found no issues.

    • Adding an additional server to the farm,
    • Creating a Worker Group,
    • Creating, modifying and deleting Citrix farm policies,
    • Creating, modifying and deleting Citrix farm administrators,
    • Creating, modifying and deleting published resources,
    • Creating, modifying and deleting load evaluators and
    • Accessing published resources via Citrix Web Interface.

    Since I can find nothing in XenApp 6.5 that uses or relies on UDP Port 1604 you can leave the firewall rule alone or disable it.  I prefer to have one less open port on my XenApp 6.5 servers so I choose to disable the rule.

    , ,

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    4 Responses to “Citrix XenApp 6.5 and UDP Port 1604”

    1. Uwe Becker Says:

      Hi Carl,

      we are using WLAN-handheld scanners with Windows CE and an Citrix-client on it. While configuring the client I was wondering why it can not locate the servers and find the distributed apps. A check of my firewall-log shows me, that the client tries to connnect the servers at port 1604 UDP. Google shows me your post – so may be this information will be helpfull for you to find out what this firewall-rule was needed for.

      Uwe

      Reply

    2. Asad Says:

      very very Informative Sir.. i have been following your posts and your site and i must say its very useful for a beginner like me.. Thanks a million for the Information. Please keep posting.. (suggest me some blogs for Xenapp)

      Reply

    3. Joe Says:

      You can also run a netstat -a to see if there is anything listening on that port.

      Joe

      Reply

      • Carl Webster Says:

        But I can’t use netstat -a to capture a log of all UDP port activity as it happens in real time to analyze later.

        Webster

        Reply

    Leave a Reply