VMware Blast Extreme Display Protocol in VMware HorizonVMware Horizon 7 version 7.10 and later
VMware Horizon 8
Introduction to VMware Blast Extreme
Display communication protocols provide end users with a graphical interface to a remote desktop or published application. Blast Extreme is a display protocol built by VMware to deliver an immersive, feature-rich experience for end users across devices, locations, media, and network connections. Blast Extreme is included with VMware Horizon®, the latest generation of VMware desktop virtualization and remote application-delivery software.
This guide provides a technical description of the Blast Extreme display protocol, including its benefits, limitations, and deployment options, for administrators who are considering using Blast Extreme in their organization today.
This guide is intended for IT administrators and evaluators who are familiar with VMware Horizon and VMware vSphere®. Readers should also have a solid understanding of desktop and application virtualization, as well as a good working knowledge of networking and supporting infrastructure, covering topics such as Active Directory, Group Policy, and supporting technologies.
Blast Extreme Benefits
Blast Extreme provides
- End-users access to their personalized virtual desktops or remote applications from company laptops, their home PCs, thin client devices, Macs, tablets, or smartphones.
- A consistent user experience across devices and locations while keeping corporate data compliant and securely stored in the data center.
- Ability to meet performance requirements for visually demanding applications when used with NVIDIA Tesla GPU–based hardware acceleration in the host.
- Broad client support, including Windows, Linux, Mac, Android, iOS, Chrome, and web (HTML Access) clients.
- Ability to use either the TCP or the UDP network transport.
- Intelligence to determine and accommodate varying network conditions.
- Feature parity with the VMware PCoIP display protocol.
- Flexibility with regard to configuration methods, which include using Windows Group Policy or Horizon Smart Policies included with VMware Dynamic Environment Manager™.
- Option to simplify setup, including opening only one port (TCP 443) on front-end firewalls when VMware Unified Access Gateway™ is used as the secure gateway.
For a detailed list of Blast Extreme features, see the VMware Blast Extreme topic in the VMware Horizon Architecture Planning guide.
Blast Extreme includes the following security features to support Horizon:
- AES (Advanced Encryption Standard) encryption – All TCP and UDP connections use TLS to encrypt communication. TLS version and encryption defaults are routinely updated to reflect current best practices. These encryption mechanisms apply to the H.264, H.265, and JPG/PNG codecs.
- Security certificates – For external connections, Blast Extreme can use the security certificate on the Unified Access Gateway appliance. Blast Extreme can also use the certificate thumbprint of the Blast Secure Gateway or virtual desktop. A certificate thumbprint is a cryptographic hash of a certificate.
- SHA-256 signatures – Blast Extreme uses the latest security algorithms, including SHA-256.
- Dual IPv4/IPv6 support – When using Blast Extreme, Unified Access Gateway can be used to bridge between IPv6 VMware Horizon® Clients and an IPv4 backend and agents. The Horizon Clients can use either IP version 4 or 6. Blast Extreme must be on TCP 443 only (as described previously for port sharing).
- FIPS support – FIPS-ready libraries are available for Unified Access Gateway 2.9 or later appliances.
- Common Criteria – The evaluation process has been initiated. For more information, see Common Criteria Certification Report for VMware Horizon.
- Port sharing – If you use a Unified Access Gateway virtual appliance for connections from outside the corporate network, by default the connection uses TCP port 8443 and optionally UDP port 8443. It is possible to configure the Blast External URL on the Unified Access Gateway appliance to use port sharing on TCP port 443 so that no additional ports need be opened on the front-end firewall.
Note: Because port sharing incurs some performance overhead on Unified Access Gateway, port sharing is not the preferred configuration.
Components of Blast Extreme
Display protocols must be able to efficiently provide the best user experience for various types of screen content, including text, still images, streaming video, 3D rendering, and audio. VMware built Blast Extreme to handle even the most demanding graphical workloads, including medical imaging and designing geographic information systems (GIS) applications used for analyzing large data sets, creating maps, and visualizing scenarios of the outside world, in both 2D and 3D.
Various components of a display protocol can be configured to address the different types of screen content and differing network speeds that end users are likely to encounter. These components include the transport protocol and display protocol codec:
- Transport protocol – Blast Extreme supports two transport protocols to carry the display traffic between clients and the Horizon infrastructure: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
- Display protocol codec – A codec is used to encode and decode the screen content transferred by Blast Extreme. Blast Extreme supports four codecs: JPG/PNG, H.264, HEVC (H.265), and the new Blast Codec. The image formats used by these codecs employ compression to reduce the size of the content before it is transferred across the network.
For details about the various transport protocols, codecs, image formats, and types of compression that Blast Extreme uses, depending on the type of screen content, see Blast Extreme Technology, in the VMware Blast Extreme Optimization Guide.
VMware Blast Extreme uses VMware client-side components, installed with VMware Horizon Client, as well as agent-side components, installed on virtual desktops, physical desktops, and RDSH servers that host published applications and desktops.
Optimized for the mobile cloud, VMware Blast Extreme supports a broad range of client devices, including Windows, Linux, Mac, Android, iOS, Chrome, and web (HTML Access) clients. On the client side, you can configure which codec or codecs to use for encoding and decoding the screen content transferred by Blast Extreme.
Figure 1: Blast Extreme Settings on Horizon Client for Windows
Horizon Client supports H.264 software encoding and hardware decoding on the following types of clients:
- Most Macs, laptops, and Windows PCs manufactured in 2013 or later.
- iOS and Android devices.
- Windows tablets and phones.
- For VMware Horizon® HTML Access™, this feature is supported on Chrome browsers (version 45 or later) if the device supports H.264 decoding. For other browsers, the JPG/PNG codec is used.
Horizon Client also supports High Efficiency Video Coding, or HEVC for short. HEVC is also known as H.265 and is the industry successor to H.264. HEVC provides up to 50 percent better compression with the same quality as H.264 and can also provide higher quality at similar compression ratios as H.264.
However, because H.265 requires substantially more processing power than H.264 to encode and decode, the ESXi hosts for desktops and server farms must have NVIDIA Tesla GPUs to offload encoding. HEVC will not work with CPU encoding alone. HEVC also requires clients to have graphics cards with H.265 decode support, but fortunately, as with H.264, most client devices manufactured since 2015 have them.
Note: Different types of client devices support different features of Blast Extreme. To find out which Blast Extreme settings are available for a specific client platform, see the Horizon Client user guide for that platform, available from the VMware Horizon Client Documentation page.
The client-side settings work in conjunction with the agent-side settings, which administrators can configure, as described in How to Configure Blast Extreme, in the VMware Blast Extreme Optimization Guide.
Three Blast Extreme components are built into the Horizon Agent, which administrators install in virtual desktops and Microsoft RDSH servers:
- The VMware Blast service (
VMBlastS.exe) manages user sessions, proxies incoming TCP connections, and prepares the Blast Worker process.
- The Blast Worker process (
VMBlastW.exe) captures the screen and handles everything within the session.
Log File Locations for Client and Agent Components
Log files related to Blast Extreme can be found in the following locations:
- Windows client:
- Mac client:
To collect logs on a Mac, you can use the Horizon Collector for Mac Fling (which like all VMware flings, is not officially supported). If you are using Horizon Client for macOS 5.0 or later, this Horizon Collector functionality is included in Horizon Client.
- Horizon Agent:
This directory contains logs for the three Blast Extreme components:
For more information about the entries in these log files, see How to Verify Configuration in the VMware Blast Extreme Optimization Guide.
The next section describes the workflow of connections made between the client and agent components.
Blast Extreme Network Connections
This section details the workflow of connections that are made so that Blast Extreme can provide the best remote display experience, regardless of whether the user is inside or outside of the corporate network. Diagrams show which ports are used at which locations, and the numbered lists that follow the diagrams show what is happening at each connection.
The descriptions mention various remote experience features. For details about the remote experience features, see Configuring Remote Desktop Features, in the guide Configuring Remote Desktop Features in VMware Horizon.
The connection workflow descriptions in this section also include information about the configurable components of Blast Extreme and the various Blast Extreme services and processes that are built into the virtual desktop agent.
With an internal connection, the client, the server, and the virtual desktop or RDSH server are all inside the corporate network. The following diagram shows the ports used for an internal connection, and the list that follows describes the order in which the connections are made.
Note: For more information about internal client connections, see Network Ports in VMware Horizon.
Figure 2: Internal Connection from Client to Agent Using Blast Extreme
- Horizon Client, installed on the client device, connects to a Connection Server on TCP port 443 for authentication and to request a desktop or application.
- The Connection Server returns connection information for the virtual desktop or RDSH server that provides remote applications (on TCP port 443).
- A TCP WebSocket connection is made on port 22443 between the client and the virtual desktop or RDSH server.
Note: At this point, the VMware Blast service on the agent side (Horizon Agent on the virtual desktop or RDSH server) proxies the incoming TCP connection. The Blast Worker process determines whether UDP is enabled on the agent and allowed on the client.
- If UDP is enabled on the agent (default), the Blast Proxy process (in Horizon Agent) attempts to make a UDP WebSocket connection to the client on port 22443. If UDP is not enabled or is blocked, the initial TCP connection (Step 3) is used instead.
- When client-drive redirection (CDR) is enabled by the administrator, by default, the traffic is side-channeled on the Blast Extreme channel. If desired, the traffic between Horizon Client and Horizon Agent can be configured to use a separate port (TCP 9427).
- If multimedia redirection (MMR) is enabled, this traffic uses TCP port 9427 between the client and agent.
- If USB redirection is enabled, this traffic uses TCP 32111 between the client and agent. USB redirection traffic can also be side-channeled in the Blast Extreme port. See Enabling the USB Over Session Enhancement SDK Feature.
Internal Tunneled Connection
With an internal tunneled connection, the client, the server, and the virtual desktop or RDSH server are all also inside the corporate network, but the clients might be on a different subnet from that of the virtual desktops or RDSH servers (where the agent is installed), and you do not want to open ports between the clients and agents directly. Tunneling traffic through the Connection Server allows for ports to be open between the Connection Server and the client, and between the Connection Server and the agent, but not between the client and the agent.
The following diagram shows the ports used for an internal tunneled connection, and the list that follows describes the order in which the connections are made.
Note: For more information about tunneled connections, see Network Ports in VMware Horizon.
Figure 3: Tunneled Connection from Client to Agent Through the Connection Server
- Horizon Client, on the client device, connects to a Connection Server on TCP port 443 for authentication and to request a desktop or application.
- The Connection Server returns the connection information for the virtual desktop or RDSH server that provides remote applications (on TCP port 443).
- A TCP WebSocket connection is made from the client to the Blast Secure Gateway on port 8443, and then from the Blast Secure Gateway to the virtual desktop or RDSH server on port 22443.
- When multimedia redirection (MMR), client-drive redirection (CDR), USB redirection, or some combination of these are enabled by the administrator, this traffic goes through the HTTPS Secure Tunnel on the Connection Server.
TCP 443 is used between the client and the Connection Server. The traffic uses the native port for each of the remote experience features between the Connection Server and the agent:
- Multimedia redirection traffic uses TCP 9427.
- Client-drive redirection traffic uses TCP 9427.
- USB redirection traffic uses TCP 32111.
With an external connection, the client is connecting from outside the corporate network to the Unified Access Gateway. This gateway then directs the traffic to the correct port and location on the Connection Server and agent. The following diagram shows the ports used for an external connection, and the list that follows describes the order in which the connections are made.
Note: For more information about external client connections, see Network Ports in VMware Horizon.
Figure 4: External Connection from Client to Agent Through the Unified Access Gateway
- Horizon Client, on the client device, authenticates and requests a desktop or application. The connection travels from the client to a Unified Access Gateway virtual appliance on TCP port 443, and then from the Unified Access Gateway to the Connection Server on TCP port 443.
- The Connection Server returns the connection information for the virtual desktop or RDSH server to the client.
- A WebSocket connection is made from the client to the Blast Secure Gateway (on the Unified Access Gateway) on TCP port 8443, and then from the Blast Secure Gateway to the virtual desktop or RDSH server on TCP port 22443. The port used by the Blast Secure Gateway on the Unified Access Gateway can be customized (for example, it can use TCP 443).
Note: At this point, the VMware Blast service on the agent side (Horizon Agent on the virtual desktop or RDSH server) proxies the incoming connection. The Blast Worker process determines whether UDP is enabled on the agent and allowed on the client.
- If UDP is enabled on the client, the Unified Access Gateway, and the agent (default), the client attempts to make a UDP connection to the agent via the Unified Access Gateway. If UDP is not enabled or is blocked, the initial TCP connection (Step 3) is used instead.
- This connection is from the client to UDP port 8443 on the Unified Access Gateway.
- The connection continues from the Unified Access Gateway to UDP port 22443 on the agent.
- A Blast session is established between the client and agent (virtual desktop or RDSH server), using the TCP and, if available, UDP connection established through the Blast Secure Gateway. If the UDP connection is successful, Blast assesses the network’s condition to decide whether to use TCP or UDP for session traffic. If the administrator has enabled additional remote experience features such as USB redirection or client-drive redirection (CDR), the administrator can choose whether traffic for these features will be carried on virtual channels within the Blast session or on separate dedicated connections.
- When client-drive redirection (CDR) is enabled by the administrator, this traffic goes through the Horizon Tunnel on the Unified Access Gateway appliance. TCP 443 is used between the client and the Unified Access Gateway.
By default, the traffic is then side-channeled on the Blast Extreme channel to the agent. If desired, the traffic between the Unified Access Gateway and Horizon Agent can be configured to use a separate port (TCP 9427).
- If multimedia redirection (MMR) is enabled, this traffic uses TCP port 443 from the client to the Horizon Tunnel on the Unified Access Gateway. TCP port 9427 is then used from the Unified Access Gateway to the agent.
- If USB redirection is enabled, this traffic, this traffic uses TCP port 443 from the client to the Horizon Tunnel on the Unified Access Gateway. TCP port 32111 is then used between the Unified Access Gateway and agent.
USB redirection traffic can also be side-channeled in the Blast Extreme port between the Unified Access Gateway and agent. See Enabling the USB Over Session Enhancement SDK Feature.
To set up the Horizon environment for Blast Extreme, administrators open various firewall ports and select Blast Extreme as the default display protocol or as a possible protocol choice for end users:
- In the pool settings, for Default display protocol, you can select VMware Blast, or you can specify that users can choose the protocol. See Worksheet for Creating an Instant-Clone Desktop Pool in Setting Up Virtual Desktops in Horizon.
- You can also configure the remote display protocol at the RDSH server farm level. For more information, see Worksheet for Creating an Automated Instant-Clone Farm in Setting Up Published Desktops and Applications in Horizon.
- To configure the remote display protocol at the global entitlement level, see Administering Cloud Pod Architecture in Horizon.
VMware Horizon Software Requirements
Use the correct version of Horizon and related components:
- Connection Server 7.1 or later is required; Connection Server 7.10 or later is recommended.
- For external connections: Unified Access Gateway 2.9 or later.
- Horizon Client 4.8 or later is required; Horizon Client 5.2 or later is recommended.
- Horizon Agent 7.5 or later is required; Horizon Agent 7.10 or later is recommended.
- For Linux desktops: Horizon for Linux version 7.5 or later is required; Horizon for Linux version 7.10 or later is recommended.
Software Requirements for Physical Desktop Machines
With Horizon 7 version 7.7, VMware introduced the ability to broker physical desktop machines running Windows 10 version 1803 and 1809 Enterprise Edition, via the Blast Extreme display protocol.
With Horizon 7 version 7.12, support for using Blast Extreme with physical desktop machines running Windows 10 versions 1903 and later was added.
For details about port requirements for connectivity between the various components and servers in a Horizon deployment, see Network Ports in VMware Horizon.
Configuration and Optimization
For information about administrator settings, end-user settings, and various optimization strategies, see the VMware Blast Optimization Guide.
Summary and Additional Resources
Now that you have learned about the benefits and features of Blast Extreme and have seen how easy it is to configure in your Horizon environment, we hope that you will take advantage of this adaptive and purpose-built display protocol.
VMware Horizon Administration guide in the VMware Horizon Documentation
Configuring Remote Desktop Features in Horizon guide in the VMware Horizon Documentation
The following updates were made to this guide.
Description of Changes
Incorporated various recent suggestions from reviewers.
Updated product documentation links to use Horizon 8 documentation.
Update for VMware Horizon 7 version 7.10.
Update for VMware Horizon 7 versions 7.1 and 7.2.
Initial publication date.
Authors and Contributors
Graeme Gordon is a Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware.
Caroline Arakelian is a Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware.
Chris Halstead co-authored the original version of this white paper. Chris is EUC Staff Architect, End-User-Computing Technical Marketing, VMware.
Mark Ewert is a Senior Product Line Manager, EUC Desktop Products, VMware.
The authors wish to thank the following people for their contributions to this paper:
- Frank Anderson, EUC Architect, EUC Technical Marketing, VMware
- Josh Spencer, EUC Architect, EUC Technical Marketing, VMware
- Ramu Panayappan, Director, Virtual Workspace R&D, VMware
- Mike Oliver, Staff Engineer, Virtual Workspace R&D, VMware
- Salil Kanitkar, Senior Member of the Technical Staff, Virtual Workspace R&D, VMware
- Matt Coppinger, Director, Technical Marketing and Enablement, EUC Technical Marketing, VMware
To comment on this paper, contact VMware End-User-Computing Technical Marketing at firstname.lastname@example.org