You can add as much HA and DR infrastructure as you like to your farm but ultimately the license server or RDS license server can bring down your entire estate. Citrix offer a 720 hour grace period which allows you time to fix your license server or bring a new one online. Microsoft RDS license offer 120 days grace period if you havent already used it. This blog post is to address the process of troubleshooting Citrix licensing, monitoring them and the networking ports required to for the service to work.
The issue: A DDC dropped off the site/farm as was unable to connect to a valid license from the license server.
Even with port 27000 open and confirmed by telnet it was still unable to connect.
The additional port 7279 (check in/check out) was opened by networks and I could see in the event logs that Citrix Broker service connected to the license server. However in studio we still could view the license server.
After further investigation I found an error code: XDDS:9509EEA3. This suggested that ports tcp 8082 and 8083 were needed opening as per article: https://support.citrix.com/article/CTX200937
Resolution: The Citrix Web Services for Licensing service listens on port 8083/8082 and is required if you want to view licenses in Studio on a DDC, ports 27000 and 7279 are essential for acquiring licenses.
Networking: DDC to license server is requires ports: TCP 27000, 7279, 8083, 8082 to properly function. Our enviroment is completely locked down so we have to request every port that needs to be opened between hosts.
Monitoring: Event logs will help you identify license issues look for the following:
- Error: Source: Citrix Broker Service, Event 1151, The Citrix Broker cannot contact the license server
- Error: Source: Citrix Broker Service, Event 1155, The Citrix Broker will not stop providing desktop and application sessions, this controller is no longer in grace period…. (This is critical and you need to fix the issue ASAP or face losing the DDC/Site)
- Info: Source: Citrix Broker Service, Event 1198, The Citrix Broker is successfully consuming licenses from the license server.. (Your back in business)
- Info: Source: Citrix Broker Service, Event 1150, The Citrix Broker Service successfully contacted the license server (Your license server is back online, Happy Days)
RDS licensing: Citrix requires your have RDS (Remote Desktop) licenses on an RDS License server, you dont need to configure your VDA for all RDS services and the VDA will install these automatically.
You need to create a GPO to point your Citrix Servers (VDA) to the RDS license server. This came in Windows 2012 as before you could just add the RDS license servers in the control panel.
Networking Ports: This can be a pain because you need so many and also a dynamic range, but you can customize the port range: https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls
Application protocol | Protocol | Ports |
RPC | TCP | 135 |
Randomly allocated high TCP ports¹ | TCP | <var>random port number between 1024 – 65535</var> <var>random port number between 49152 – 65535²</var> |
NetBIOS Datagram Service | UDP | 138 |
NetBIOS Name Resolution | UDP | 137 |
NetBIOS Session Service | TCP | 139 |
SMB | TCP | 445 |
RDS Events: This is better explained in the Microsoft article as there are many examples: https://technet.microsoft.com/en-us/library/ee890876(v=ws.10).aspx
You can choose which event IDs are best to monitor, but generally unable to connect, issue or a certifcate related to this service needs to be monitored.