Network Ports in VMware Horizon 7

About This Guide

This document lists port requirements for connectivity between the various components and servers in a VMware Horizon® 7 deployment.

Horizon 7 Network Ports, All Connection Types, All Display Protocols

Figure 1: Horizon 7 Network Ports with All Connection Types and All Display Protocols

Figure 1 shows three different client connection types and also includes all display protocols. Different subsets of this diagram are displayed throughout this document and linked to larger PDF layouts. To view these larger PDF diagram layouts, access the Attachments panel in this file or click on the diagram images in the layout. You might need to download this PDF and view it locally (rather than in a browser) for full interactive functionality.

Each subset of Figure 1 focuses on a particular connection type and display protocol use. The PDF diagrams are high-resolution graphics and in a format suitable for printing as posters.

This document also contains tables that list all possible ports from a source component to destination components. This does not mean that all of these ports necessarily need to be open. If a component or display protocol is not in use, then the ports associated with it can be omitted. For example:

• If Blast Extreme is the only display protocol used, the PCoIP ports need not be opened.

• If VMware vRealize® Operations for Horizon is not deployed, ports to and from it can be ignored.

Ports shown are destination ports.

The Horizon 7 tables and diagrams include connections to the following products, product families, and components:

• vRealize Operations for Horizon

VMware Horizon Client™

VMware Identity Manager™

VMware Unified Access Gateway™

VMware App Volumes™

VMware User Environment Manager™

• VMware vCenter Server®

• VMware ESXi™

VMware AirWatch®

VMware ThinApp®

Client Connections

Network ports for connections between a client (either Horizon Client or a browser) and the various Horizon 7 components vary by whether the connections are internal, external, or tunneled.

Internal Connection

An internal connection is typically used within the internal network. Initial authentication is performed to the View Connection Server, and then the Horizon Client connects directly to the Horizon Agent running in the virtual desktop or RDS host.

The following table lists network ports for internal connections from a client device to Horizon 7 components. The diagrams following the table show network ports for internal connections, by display protocol.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client View Connection Server TCP 443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See HTTP Redirection in View in View Security.

Horizon Agent TCP 22443

Blast Extreme.

Excellent or typical network condition is selected on client.

UDP 22443

Blast Extreme.

Typical network condition is selected on client.

TCP 4172 PCoIP.
UDP 4172 PCoIP.
TCP 3389 RDP.
TCP 9427

Optional for client drive redirection (CDR) and multimedia redirection (MMR).

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

TCP 32111

Optional for USB redirection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If desired, this traffic can be separated onto the port indicated here.

Browser View Connection Server TCP 443 HTML Access.
VMware Identity Manager TCP 443 VMware Identity Manager.

 

Horizon 7 Network Ports, Internal Connection, All Display Protocols

 

Figure 2: Internal Connection Showing All Display Protocols

Blast Extreme Internal Connection

Figure 3: Blast Extreme Internal Connection

PCoIP Internal Connection

Figure 4: PCoIP Internal Connection

HTML Access Internal Connection

Figure 5: HTML Access Internal Connection

External Connection

An external connection provides secure access into Horizon 7 resources from an external network. A Unified Access Gateway or a security server provides the secure edge services. All communication from the client will be to that edge device, which then communicates to the internal resources.

The following table lists network ports for external connections from a client device to Horizon 7 components. The diagrams following the table show network ports for external connections, by display protocol, all with Unified Access Gateway.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client Unified Access Gateway or security server TCP 443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See HTTP Redirection in View in View Security.

Can also carry tunneled RDP, client drive redirection, and USB redirection traffic.

TCP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway or security server.
UDP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway or security server.
Unified Access Gateway TCP 443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic where port sharing is used.

Excellent or typical network condition is selected on client.

TCP 8443

Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (performant channel).

Excellent or typical network condition is selected on client.

UDP 443

Blast Extreme via the Unified Access Gateway for data traffic where port sharing is used.

Also used for login traffic when poor network condition is selected on client.

UDP 8443

Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).

Typical or poor network condition is selected on client.

Security server TCP 9443 Blast Extreme via Blast Secure Gateway on security server.
Browser Unified Access Gateway or security server TCP 443 HTML Access.
Unified Access Gateway TCP 443 VMware Identity Manager login and data traffic.

 

External Connection Showing All Display Protocols

Figure 6: External Connection Showing All Display Protocols (Using Unified Access Gateway)

Blast Extreme External Connection

Figure 7: Blast Extreme External Connection (Using Unified Access Gateway)

PCoIP External Connection

Figure 8: PCoIP External Connection (Using Unified Access Gateway)

HTML Access External Connection

Figure 9: HTML Access External Connection (Using Unified Access Gateway)

Tunneled Connection

A tunneled connection uses the View Connection Server to provide gateway services. Authentication and session traffic is routed through the View Connection Server. This approach is less frequently used because Unified Access Gateway can provide the same and more functionality.

The following table lists network ports for tunneled connections from a client device to the Horizon 7 components. The diagrams following the table show network ports for tunneled connections, by display protocol.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client View Connection Server TCP 443

Login.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in certain cases. See HTTP Redirection in View in View Security.

Can also carry tunneled RDP, client drive redirection, and USB redirection traffic

TCP 8443

Blast Extreme to Blast Secure Gateway.

Excellent or typical network condition is selected on client.

TCP 4172 PCoIP to PCoIP Secure Gateway
UDP 4172 PCoIP to PCoIP Secure Gateway
Browser View Connection Server TCP 443 HTML Access.
VMware Identity Manager TCP 443 VMware Identity Manager

 

Tunneled Connection Showing All Display Protocols

Figure 10: Tunneled Connection Showing All Display Protocols

Blast Extreme Tunneled Connection

Figure 11: Blast Extreme Tunneled Connection

PCoIP Tunneled Connection

Figure 12: PCoIP Tunneled Connection

HTML Access Tunneled Connection

Figure 13: HTML Access Tunneled Connection

Virtual Desktop or RDS Host

The following table lists network ports for connections from a virtual desktop or RDS host, to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Agent View Connection Server TCP 4002 Java Message Service (JMS) when using enhanced security (default).
TCP 4001 JMS (legacy).
TCP 389 Only required when doing an unmanaged agent registration, for example, RDSH agent install without linked-clone or instant-clone component.
vRealize Operations for Horizon * TCP 3091 Remote Method Invocation (RMI) registry lookup.
TCP 3099 Desktop message server
App Volumes Agent App Volumes Manager TCP 443 Can use port 80 if not using SSL certificates to secure communication.
TCP 5895 PowerShell web services.
User Environment Manager FlexEngine File shares TCP 445 User Environment Manager agent access to SMB file shares.

* VMware vRealize Operations for Horizon ports shown are for version 6.2. See the vRealize Operations for Horizon Documentation for earlier versions.

View Connection Server

The following table lists network ports for connections from a View Connection Server to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
View Connection Server Horizon Agent TCP 22443 Blast Extreme for a tunneled connection.
TCP 4172 PCoIP for a tunneled connection.
UDP 4172 PCoIP for a tunneled connection.
TCP 3389 RDP for a tunneled connection.
TCP 9427

Optional for client drive redirection (CDR) and multimedia redirection (MMR) for a tunneled connection.

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

TCP 32111

Optional for USB redirection for a tunneled connection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

vCenter Server TCP 443 SOAP messages.
View Composer TCP 18443 SOAP messages.
View Connection Server TCP 4100 JMS to replica View Connection Server for redundancy and scale.
TCP 4101 JMS SSL to replica View Connection Server for redundancy and scale.
TCP 22389 Cloud Pod Architecture ADLDS – Global LDAP replication.
TCP 32111 Used only during installation of a replica View Connection Server.
TCP 389 Used only during installation of a replica View Connection Server.
TCP 22636 Cloud Pod Architecture ADLDS – Secure global LDAP replication.
TCP 8472 Cloud Pod Architecture inter-pod VIPA.
TCP 135 Required when joining Cloud Pod Architecture (CPA) federation.
Enrollment server TCP 32111 32111.

 

 

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
View Connection Server Security server UDP 500 IPsec negotiation traffic.
UDP 4500 NAT-T ISAKMP.
VMware Identity Manager TCP 443 Message bus.
vRealize Operations for Horizon TCP 3091 Remote Method Invocation (RMI) registry lookup.
TCP 3101 Broker message server – Send topology data.
TCP 3100 Certificate management server – Pair.
RSA SecurID Authentication Manager UDP 5500

Two-factor authentication.

Default value is shown. This port is configurable.

vCenter Server and View Composer

The following table lists network ports for connections from a vCenter Server and a View Composer server, to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
vCenter Server ESXi TCP 902 SOAP.
View Composer vCenter Server TCP 443 SOAP.
ESXi TCP 902 SOAP.

Unified Access Gateway

The following table lists network ports for connections from a Unified Access Gateway to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Unified Access Gateway View Connection Server TCP 443 Login.
Horizon Agent TCP 22443 Blast Extreme.
UDP 22443 Blast Extreme.
TCP 4172 PCoIP.
UDP 4172 PCoIP.
TCP 3389 RDP.
TCP 9427

Optional for client drive redirection (CDR) and multimedia redirection (MMR).

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

TCP 32111

Optional for USB redirection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

VMware Identity Manager TCP 443  
RADIUS,… UDP 5500

Other authentication sources such as RADIUS.

Default value for RADIUS is shown but is configurable.

Security Server

The following table lists network ports for connections from a security server to other Horizon 7 components. The diagrams following the table show network ports for external connections when using a security server, by display protocol.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Security server View Connection Server UDP 500 IPsec negotiation traffic
ESP  

IP Protocol 50.

AJP13-forwarded web traffic, when using IPsec without a NAT device.

UDP 4500 AJP13-forwarded web traffic, when using IPsec through a NAT device.
TCP 8009 AJP13-forwarded web traffic, if not using IPsec.
TCP 4001 JMS traffic.
TCP 4002 JMS SSL traffic.
Horizon Agent TCP 22443 Blast Extreme.
TCP 4172 PCoIP.
UDP 4172 PCoIP.
TCP 3389 RDP.
TCP 9427

Optional for client drive redirection (CDR) and multimedia redirection (MMR).

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

TCP 32111

Optional for USB redirection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

 

External Connection Showing All Display Protocols

Figure 14: External Connection Showing All Display Protocols (Using Security Server)

Blast Extreme External Connection

Figure 15: Blast Extreme External Connection (Using Security Server)

PCoIP External Connection

Figure 16: PCoIP External Connection (Using Security Server)

HTML Access External Connection

Figure 17: HTML Access External Connection (Using Security Server)

VMware Identity Manager

The following table lists the network ports for connections from VMware Identity Manager to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
VMware Identity Manager View Connection Server TCP 389  
TCP 443  
VMware Identity Manager TCP 443  
TCP 9300-9400 Audit needs.
SMTP server TCP 25 SMTP port to relay outbound mail.
Domain controllers TCP 389 LDAP to Active Directory. Default, but is configurable.
Both 88 Kerberos authentication.
Both 464 Kerberos password change.
TCP 135 RPC.
DNS servers Both 53 DNS lookup.
Citrix Integration Broker server TCP 80, 443 Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server.
File servers TCP 445 Access to the VMware ThinApp repository on SMB share.
vapp-updates. vmware.com TCP 443 Access to the upgrade server.
RSA SecurID system UDP 5500 Default value is shown. This port is configurable.
VMware AirWatch REST API TCP 443 For device compliance-checking, and for the VMware AirWatch Cloud Connector password authentication method, if that is used.
Database TCP 1433 If using an external Microsoft SQL database (default port is 1443).
TCP 5432 If using an external PostgreSQL database.
TCP 1521 If using an external Oracle database.

App Volumes Manager

The following table lists network ports for connections from App Volumes Manager to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
App Volumes Manager vCenter Server TCP 443 SOAP.
ESXi TCP 443 Hostd.
Database TCP 1433 Default port for Microsoft SQL.

vRealize Operations for Horizon

The following table lists network ports for connections from vRealize Operations for Horizon, to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
vRealize Operations for Horizon View Connection Server TCP 3091 Remote Method Invocation (RMI) registry lookup.
TCP 3101 Broker message server – Send topology data.
TCP 3100 Certificate management server – Pair.
Horizon Agent TCP 3091 Remote Method Invocation (RMI) registry lookup.
TCP 3099 Desktop message server.
Unified Access Gateway TCP 9443 Monitoring of Unified Access Gateway appliances.
App Volumes Manager TCP 443 Monitoring of App Volumes Managers.

Management

The following table lists network ports for the administrative consoles in Horizon 7.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Administrative console in browser View Connection Server TCP 443 https://<Connection Server FQDN>/admin
vCenter Server TCP 443

https://<vCenter Server FQDN>/vsphere-client

https:// <vCenter Server FQDN>/ui

App Volumes Manager TCP 443 https://<App Volumes Manager Server FQDN>/
VMware Identity Manager TCP 8443

https://<Identity Manager Instance FQDN>

https://<Identity Manager Appliance FQDN>:8443/cfg/login

vRealize Operations for Horizon TCP 443 https://<vRealize Manager FQDN or IP Address>/admin
Unified Access Gateway TCP 9443 https://<Unified Access Gateway FQDN or IP Address>:9443/admin/

Display-Protocol-Specific Diagram Views

The following diagrams display network ports for connections, by display protocol (Blast Extreme or PCoIP), and for HTML Access client connections.

Blast Extreme Connections

Figure 18: Blast Extreme Connections

PCoIP Connections

Figure 19: PCoIP Connections

HTML Access Connections

Figure 20: HTML Access Connections

About the Author and Contributors

Graeme Gordon, Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware, created these network-port diagrams and wrote the accompanying document.

The following people contributed their knowledge and assisted with reviewing:

• Frank Anderson, EUC Technical Marketing Architect, EUC Technical Marketing, VMware

• Mark Benson, Sr. Staff Engineer, EUC CTO Office, VMware

• Paul Green, Staff Engineer, Enterprise Desktop, VMware

• Ray Heffer, Global Cloud Architect, VMware

• Andrew Jewitt, Staff Engineer, Enterprise Desktop, VMware

• Ramu Panayappan, Director, R&D, Enterprise Desktop, VMware

• Rick Terlep, EUC Architect, EUC Technical Marketing, VMware

• Jim Yanik, Senior Manager, EUC Technical Marketing, VMware

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.