Jump to content
Welcome to our new Citrix community!
  • 1

Citrix 1912 CU1 VDA Command Line Installation - No Firewall Rules Set - VDA Error "AgentNotContactable"

Tom Swift


Think there may be a bug in the 1912 CU1 VDA using the command line to install as no firewall rule settings are created.  If the GUI is used they firewall rules are created as expected.


Here is the command line with the parameters we want set:



/quiet /noreboot /components vda /controllers "CTRL.DOMAIN.COM" /enable_remote_assistance /enable_real_time_transport /disableexperiencemetrics /includeadditional "Citrix User Profile Manager WMI Plugin" /exclude "Personal vDisk","Citrix Telemetry Service","Citrix User Profile Manager" /virtualmachine


We also ran this through the command line generator utility to verify we weren't doing anything incorrectly.


It does create one firewall policy named "Citrix Audio Redirection Service" but not the other 6 the GUI does.


Not sure when the command line stopped setting the firewall rules correctly, but for certain it doesn't work in 1912 CU1.


What was happening without the firewall rules being set is that we were getting a error in the event logs containing "AgentNotContactable" and when we disabled the firewall all together we're get the 1012 event ID saying the VDA had successfully registered with the controller.


Our fix was to add New-NetFirewallRule statements to the Powershell script we use to install the VDA on server and workstation operating systems.  If the firewall rule already exists it won't add it and kick out a little error but continue.


New-NetFirewallRule -DisplayName "Citrix Audio Redirection Service" -Description "Firewall Rule for Citrix Audio Redirection Service" -Group "Citrix Virtual Desktop Agent" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 16500,16501,16502,16503,16504,16505,16506,16507,16508,16509

New-NetFirewallRule -DisplayName "Citrix CGP Server Service" -Description "Firewall Rule for Citrix CGP Server Service" -Group "Citrix Virtual Desktop Agent" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 2598

New-NetFirewallRule -DisplayName "Citrix CGP UDP" -Description "Firewall Rule for Citrix CGP UDP Port" -Group "Citrix Virtual Desktop Agent" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 2598

New-NetFirewallRule -DisplayName "Citrix Desktop Service" -Description "Firewall Rule for Citrix Desktop Service" -Group "Citrix Virtual Desktop Agent" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80

New-NetFirewallRule -DisplayName "Citrix ICA Service" -Description "Firewall Rule for Citrix ICA Service" -Group "Citrix Virtual Desktop Agent" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 1494

New-NetFirewallRule -DisplayName "Citrix ICA UDP" -Description "Firewall Rule for Citrix ICA UDP Port" -Group "Citrix Virtual Desktop Agent" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 1494

New-NetFirewallRule -DisplayName "Citrix Websocket Service" -Description "Firewall Rule for Citrix Websocket Service" -Group "Citrix Virtual Desktop Agent" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8008




Link to comment

5 answers to this question

Recommended Posts

  • 0



Not seeing that behavior here. I have just installed 1912CU1 on WS2019 I have Citrix Audio Redirection, Citrix CGP Service Server, Citrix CGP UDP, Citrix Desktop Service, Citrix ICA Service, Citrix ICA UDP and Citrix Websocket Service firewall rules.


Install parameters:
/components vda /masterimage /optimize /quiet /enable_hdx_ports /enable_hdx_udp_ports /enable_framehawk_port /enable_real_time_transport /enable_remote_assistance /noreboot /exclude "AppDisks VDA Plug-in","Personal vDisk","Citrix Personalization for App-V - VDA","Citrix Telemetry Service","Citrix Files for Windows"

I am using the separate VDA installer, not the one from the CVAD ISO. 

Link to comment
  • 0

I have a similar error coming up but the install(done by GUI on the master target) was fine. It only happens on one server out of 3 that are streaming the same provisioned disk.


The affected server is in a lower OU that has an extra GPO. The extra GP just allows basic auth and  Allows all Trusted Host for the WinRM client. Allows PowerShell script execution to local and remote signed scripts.  Don't think this should have any affect on the VDA registration but thought I'd mention the difference.


Any ideas on what it could be?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...