Network Ports in VMware Horizon 7

Horizon 7 version 7.5

About This Guide

This document lists port requirements for connectivity between the various components and servers in a VMware Horizon® 7 deployment.

Figure 1: Horizon 7 Network Ports with All Connection Types and All Display Protocols

Figure 1 shows three different client connection types and also includes all display protocols. Different subsets of this diagram are displayed throughout this document.

Each subset of Figure 1 focuses on a particular connection type and display protocol use. The diagrams are high-resolution graphics and in a format suitable for printing as posters.

This document also contains tables that list all possible ports from a source component to destination components. This does not mean that all of these ports necessarily need to be open. If a component or display protocol is not in use, then the ports associated with it can be omitted. For example:

• If Blast Extreme is the only display protocol used, the PCoIP ports need not be opened.

• If VMware vRealize® Operations for Horizon is not deployed, ports to and from it can be ignored.

Ports shown are destination ports.

The Horizon 7 tables and diagrams include connections to the following products, product families, and components:

• vRealize Operations for Horizon

VMware Horizon Client™

VMware Identity Manager™

VMware Unified Access Gateway™

VMware App Volumes™

VMware User Environment Manager™

• VMware vCenter Server®

• VMware ESXi™

VMware AirWatch®

VMware ThinApp®

Client Connections

Network ports for connections between a client (either Horizon Client or a browser) and the various Horizon 7 components vary by whether the connections are internal, external, or tunneled.

Internal Connection

An internal connection is typically used within the internal network. Initial authentication is performed to the View Connection Server, and then the Horizon Client connects directly to the Horizon Agent running in the virtual desktop or RDS host.

The following table lists network ports for internal connections from a client device to Horizon 7 components. The diagrams following the table show network ports for internal connections, by display protocol.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client View Connection Server TCP 443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See HTTP Redirection in Horizon 7 in Horizon 7 Security.

Horizon Agent TCP 22443

Blast Extreme.

UDP 22443

Blast Extreme.

TCP 4172 PCoIP.
UDP 4172 PCoIP.
TCP 3389 RDP.
TCP 9427

Optional for client drive redirection (CDR) and multimedia redirection (MMR).

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

TCP 32111

Optional for USB redirection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If desired, this traffic can be separated onto the port indicated here.

Browser View Connection Server TCP 8443 Horizon 7 HTML Access.
VMware Identity Manager Appliance TCP 443 VMware Identity Manager login and data traffic.
Both 88 iOS single sign-on (SSO).
TCP 5262 Android single sign-on (SSO)
TCP 7443 SSL certificate authentication.
VMware Identity Manager Connector TCP 443

This port is required only when a connector is being used in inbound mode (outbound mode is recommended).

If Kerberos authentication is configured on the connector, this port is required.

 

 

Figure 2: Internal Connection Showing All Display Protocols

Figure 3: Blast Extreme Internal Connection

Figure 4: PCoIP Internal Connection

Figure 5: HTML Access Internal Connection

External Connection

An external connection provides secure access into Horizon 7 resources from an external network. A Unified Access Gateway or a security server provides the secure edge services. All communication from the client will be to that edge device, which then communicates to the internal resources.

The following table lists network ports for external connections from a client device to Horizon 7 components. The diagrams following the table show network ports for external connections, by display protocol, all with Unified Access Gateway.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client Unified Access Gateway or security server TCP 443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See HTTP Redirection in Horizon 7 in Horizon 7 Security.

Can also carry tunneled RDP, client drive redirection, and USB redirection traffic.

TCP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway or security server.
UDP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway or security server.
Unified Access Gateway UDP 443 Optional for login traffic. Blast Extreme Network Intelligent Transport (BENIT) tries a UDP login connection if the client experiences difficulty making a TCP connection to the UAG.
TCP 8443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (performant channel).

UDP 8443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).

TCP 443

Blast Extreme via the Unified Access Gateway for data traffic where port sharing is used. This would be instead of TCP 8443.

Security server TCP 8443 Blast Extreme via Blast Secure Gateway on security server.
Browser Unified Access Gateway or security server TCP

8443

or 443

Horizon 7 HTML Access.

8443 is the default but can be changed to 443 on the Unified Access Gateway.

VMware Identity Manager Appliance TCP 443 VMware Identity Manager login and data traffic.
Both 88 iOS single sign-on (SSO).
TCP 5262 Android single sign-on (SSO).
TCP 7443 SSL certificate authentication.
VMware Identity Manager Connector TCP 443

This port is required only when a connector is being used in inbound mode (outbound mode is recommended).

If Kerberos authentication is configured on the connector, this port is required.

Notes:

The Blast Secure Gateway on Unified Access Gateway includes Blast Extreme Adaptive Transport (BEAT) networking, which dynamically adjusts to network conditions such as varying speeds and packet loss. In Unifed Access Gateway, you can configure the ports used by the BEAT protocol.

  • By default, Blast Extreme uses the standard ports TCP 8443 and UDP 8443.
  • However, port 443 can also be configured for Blast TCP.
  • The port configuration is set through the Unified Access Gateway Blast External URL property. See Blast TCP and UDP External URL Configuration Options.

If you configure Unified Access Gateway to use both IPv4 and IPv6 mode, then the Blast TCP/UDP must be set to port 443. You can enable Unified Access Gateway to act as a bridge for IPv6 Horizon clients to connet to an IPv4 backend Connection Server or agent environment. See Support for IPv4 and IPv6 Dual Mode for Horizon Infrastructure.

 

Figure 6: External Connection Showing All Display Protocols (Using Unified Access Gateway)

Figure 7: Blast Extreme External Connection (Using Unified Access Gateway)

Figure 8: PCoIP External Connection (Using Unified Access Gateway)

Figure 9: HTML Access External Connection (Using Unified Access Gateway)

Tunneled Connection

A tunneled connection uses the View Connection Server to provide gateway services. Authentication and session traffic is routed through the View Connection Server. This approach is less frequently used because Unified Access Gateway can provide the same and more functionality.

The following table lists network ports for tunneled connections from a client device to the Horizon 7 components. The diagrams following the table show network ports for tunneled connections, by display protocol.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client View Connection Server TCP 443

Login.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in certain cases. See HTTP Redirection in Horizon 7 in Horizon 7 Security.

Can also carry tunneled RDP, client drive redirection, and USB redirection traffic

TCP 8443

Blast Extreme to Blast Secure Gateway.

TCP 4172 PCoIP to PCoIP Secure Gateway
UDP 4172 PCoIP to PCoIP Secure Gateway
Browser View Connection Server TCP 8443 Horizon 7 HTML Access.
VMware Identity Manager Appliance TCP 443 VMware Identity Manager login and data traffic
Both 88 iOS single sign-on (SSO).
TCP 5262 Android single sign-on (SSO).
TCP 7443 SSL certificate authentication.
VMware Identity Manager Connector TCP 443

This port is required only when a connector is being used in inbound mode (outbound mode is recommended).

If Kerberos authentication is configured on the connector, this port is required.

 

Figure 10: Tunneled Connection Showing All Display Protocols

Figure 11: Blast Extreme Tunneled Connection

Figure 12: PCoIP Tunneled Connection

Figure 13: HTML Access Tunneled Connection

Virtual Desktop or RDS Host

The following table lists network ports for connections from a virtual desktop or RDS host, to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Agent View Connection Server TCP 4002 Java Message Service (JMS) when using enhanced security (default).
TCP 4001 JMS (legacy).
TCP 389 Only required when doing an unmanaged agent registration, for example, RDSH agent install without linked-clone or instant-clone component.
vRealize Operations for Horizon * TCP 3091 Remote Method Invocation (RMI) registry lookup.
TCP 3099 Desktop message server
App Volumes Agent App Volumes Manager TCP 443 Can use port 80 if not using SSL certificates to secure communication.
TCP 5895 PowerShell web services.
User Environment Manager FlexEngine File shares TCP 445 User Environment Manager agent access to SMB file shares.

* VMware vRealize Operations for Horizon ports shown are for version 6.2. See the vRealize Operations for Horizon Documentation for earlier versions.

View Connection Server

The following table lists network ports for connections from a View Connection Server to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
View Connection Server Horizon Agent TCP 22443 Blast Extreme for a tunneled connection.
TCP 4172 PCoIP for a tunneled connection.
UDP 4172 PCoIP for a tunneled connection.
TCP 3389 RDP for a tunneled connection.
TCP 9427

Optional for client drive redirection (CDR) and multimedia redirection (MMR) for a tunneled connection.

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

TCP 32111

Optional for USB redirection for a tunneled connection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

vCenter Server TCP 443 SOAP messages.
View Connection Server TCP 4100 JMS to replica View Connection Server for redundancy and scale.
TCP 4101 JMS SSL to replica View Connection Server for redundancy and scale.
TCP 22389 Cloud Pod Architecture ADLDS – Global LDAP replication.
TCP 32111 Used only during installation of a replica View Connection Server.
TCP 389 Used only during installation of a replica View Connection Server.
TCP 22636 Cloud Pod Architecture ADLDS – Secure global LDAP replication.
TCP 8472 Cloud Pod Architecture inter-pod VIPA.
TCP 135 MS-RPC - Required when joining Cloud Pod Architecture (CPA) federation.
Enrollment server TCP 32111 View Framework
JMP Server TCP 443  
View Composer TCP 18443 SOAP messages.
Security server UDP 500 IPsec negotiation traffic.
UDP 4500 NAT-T ISAKMP.
VMware Identity Manager TCP 443 Message bus.
vRealize Operations for Horizon TCP 3091 Remote Method Invocation (RMI) registry lookup.
TCP 3101 Broker message server – Send topology data.
TCP 3100 Certificate management server – Pair.
RSA SecurID Authentication Manager UDP 5500

Two-factor authentication.

Default value is shown. This port is configurable.

 

JMP Server

The following table lists network ports for connections from a JMP Server, to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
JMP Server Database TCP 1433 Microsoft SQL database (default port is 1433).
View Connection Server TCP 433  
Active Directory TCP 389 LDAP (non-secure) or LDAP over TLS (AD ports can be customized)
TCP 636 LDAPS
App Volumes Manager TCP 443  

User Environment Manager

file shares

Both 135-139 Microsoft file sharing SMB: User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).
Both 445 Direct-hosted SMB traffic without NetBIOS.

vCenter Server and View Composer

The following table lists network ports for connections from a vCenter Server and a View Composer server, to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
vCenter Server ESXi TCP 902 SOAP.
View Composer vCenter Server TCP 443 SOAP.
ESXi TCP 902 SOAP.

Unified Access Gateway

The following table lists network ports for connections from a Unified Access Gateway to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Unified Access Gateway View Connection Server TCP 443 Login.
UDP 443 Optional for login traffic. Blast Extreme Network Intelligent Transport (BENIT) tries a UDP login connection if the client experiences difficulty making a TCP connection to the UAG.
Horizon Agent TCP 22443 Blast Extreme.
UDP 22443 Blast Extreme.
TCP 4172 PCoIP.
UDP 4172 PCoIP.
TCP 3389 RDP.
TCP 9427

Optional for client drive redirection (CDR) and multimedia redirection (MMR).

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

TCP 32111

Optional for USB redirection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

RADIUS,… UDP 5500

Other authentication sources such as RADIUS.

Default value for RADIUS is shown but is configurable.

Security Server

The following table lists network ports for connections from a security server to other Horizon 7 components. The diagrams following the table show network ports for external connections when using a security server, by display protocol.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Security server View Connection Server UDP 500 IPsec negotiation traffic
ESP  

IP Protocol 50.

AJP13-forwarded web traffic, when using IPsec without a NAT device.

UDP 4500 AJP13-forwarded web traffic, when using IPsec through a NAT device.
TCP 8009 AJP13-forwarded web traffic, if not using IPsec.
TCP 4001 JMS traffic.
TCP 4002 JMS SSL traffic.
Horizon Agent TCP 22443 Blast Extreme.
TCP 4172 PCoIP.
UDP 4172 PCoIP.
TCP 3389 RDP.
TCP 9427

Optional for client drive redirection (CDR) and multimedia redirection (MMR).

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

TCP 32111

Optional for USB redirection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.

 

Figure 14: External Connection Showing All Display Protocols (Using Security Server)

Figure 15: Blast Extreme External Connection (Using Security Server)

Figure 16: PCoIP External Connection (Using Security Server)

Figure 17: HTML Access External Connection (Using Security Server)

VMware Identity Manager

The following table lists the network ports for connections from VMware Identity Manager to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
VMware Identity Manager Appliance View Connection Server TCP 389  
TCP 443  
VMware Identity Manager Appliance TCP 443  
TCP

8200

9300

ElasticSearch.
TCP

40002

40003

EHCache.
TCP 9400 vPostgres.
DNS servers Both 53 DNS lookup.
NTP UDP 123 Time sync.
SMTP server TCP 25 SMTP port to relay outbound email.
Syslog UDP 514  
Log Insight TCP 9543  
OCSP TCP 80 Online Certificate Status Protocol.
KDC UDP 88 Hybrid KDC.
VMware Verifiy TCP 443  
Database TCP 1433 If using an external Microsoft SQL database (default port is 1443).
TCP 5432 If using an external PostgreSQL database.
TCP 1521 If using an external Oracle database.
VMware AirWatch REST API TCP 443 For device compliance-checking, and for the VMware AirWatch Cloud Connector password authentication method, if that is used.
vapp-updates.vmware.com TCP 443 Access to the upgrade server.

 

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
VMware Identity Manager Connector VMware Identity Manager Appliance TCP 443  
View Connection Server TCP 389  
Domain controllers TCP 389 LDAP to Active Directory. Default, but is configurable.
TCP 636 LDAPS to Active Directory.
TCP 3268 AD Global Catalog.
TCP 3269 AD Global Catalog.
Both 88 Kerberos authentication.
Both 464 Kerberos password change.
TCP 135 RPC.
DNS servers Both 53 DNS lookup.
NTP UDP 123 Time sync.
Syslog UDP 514  
Log Insight TCP 9543  
OCSP TCP 80 Online Certificate Status Protocol.
File servers TCP 445 Access to the VMware ThinApp repository on SMB share.
RADIUS Server TCP 1812  
TCP 1813  
RSA SecurID system UDP 5500 Default value is shown. This port is configurable.
Citrix Integration Broker server TCP 80, 443 Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server.  
vapp-updates.vmware.com TCP 443 Access to the upgrade server.  

App Volumes Manager

The following table lists network ports for connections from App Volumes Manager to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
App Volumes Manager vCenter Server TCP 443 SOAP.
ESXi TCP 443 Hostd.
Database TCP 1433 Default port for Microsoft SQL.

vRealize Operations for Horizon

The following table lists network ports for connections from vRealize Operations for Horizon, to other Horizon 7 components.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
vRealize Operations for Horizon View Connection Server TCP 3091 Remote Method Invocation (RMI) registry lookup.
TCP 3101 Broker message server – Send topology data.
TCP 3100 Certificate management server – Pair.
Horizon Agent TCP 3091 Remote Method Invocation (RMI) registry lookup.
TCP 3099 Desktop message server.
Unified Access Gateway TCP 9443 Monitoring of Unified Access Gateway appliances.
App Volumes Manager TCP 443 Monitoring of App Volumes Managers.

Management

The following table lists network ports for the administrative consoles in Horizon 7.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Administrative console in browser View Connection Server TCP 443

https://<Connection Server FQDN>/admin

https://<Connection Server FQDN>/newadmin

JMP Server TCP 443  
vCenter Server TCP 443

https://<vCenter Server FQDN>/

App Volumes Manager TCP 443 https://<App Volumes Manager Server FQDN>/
VMware Identity Manager Appliance TCP 443

https://<Identity Manager Instance FQDN>

TCP 8443 https://<Identity Manager Appliance FQDN>:8443/cfg/login
TCP 22 SSH
vRealize Operations for Horizon TCP 443 https://<vRealize Manager FQDN or IP Address>/admin
Unified Access Gateway TCP 9443 https://<Unified Access Gateway FQDN or IP Address>:9443/admin/

Display-Protocol-Specific Diagram Views

The following diagrams display network ports for connections, by display protocol (Blast Extreme or PCoIP), and for HTML Access client connections.

Figure 18: Blast Extreme Connections

Figure 19: PCoIP Connections

Figure 20: HTML Access Connections

About the Author and Contributors

Graeme Gordon, Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware, wrote this document and created the accompanying network-port diagrams.

The following people contributed their knowledge and assisted with reviewing:

• Frank Anderson, EUC Technical Marketing Architect, EUC Technical Marketing, VMware

• Mark Benson, Sr. Staff Engineer, EUC CTO Office, VMware

• Paul Green, Staff Engineer, Virtual Workspace R&D, VMware

• Ramu Panayappan, Director, Virtual Workspace R&D, VMware

• Mike Oliver, Staff Engineer, Virtual Workspace R&D, VMware

• Andrew Jewitt, Staff Engineer, Virtual Workspace R&D, VMware

• Rick Terlep, EUC Architect, EUC Technical Marketing, VMware

• Jim Yanik, Senior Manager, EUC Technical Marketing, VMware

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.