Network Ports in VMware Horizon Cloud Service

About This Guide

This document lists port requirements for connectivity between the various components and servers in a VMware Horizon® Cloud Service™ deployment. Two deployment models for the Horizon Cloud Service are covered: VMware Horizon Cloud Service with Hosted Infrastructure, and VMware Horizon Cloud Service on Microsoft Azure. This document is intended as a companion to the VMware Horizon Cloud Service Network Ports diagrams.

The first set of diagrams covers Horizon Cloud with Hosted Infrastructure with external connectivity. The second set covers Horizon Cloud with Hosted Infrastructure with internal connectivity. The final set covers connectivity for Horizon Cloud on Microsoft Azure.

Figure 1 shows the possible client connection types for Horizon Cloud with Hosted Infrastructure and also includes all display protocols. Different versions of this diagram are displayed in this document. They show a subset of this diagram and focus on a particular connection type and protocol use. The diagrams are high-resolution graphics and in a format suitable for printing as posters.

This document also provides tables listing all possible ports from a source component to destination components within a typical Horizon Cloud deployment. This does not mean that all of these ports necessarily need to be open. If a component or protocol is not in use, then the ports associated with it can be omitted. For example:

  • If Blast Extreme is the only display protocol used, the PCoIP ports need not be opened.
  • If VMware User Environment Manager™ is not deployed, ports to and from it can be ignored.

Furthermore, this document does not list all possible ports for all possible integrations with third-party services. The document lists ports to third-party services that are critical to a functioning deployment.

Ports shown are destination ports. In the diagrams, arrows depict the direction of communication from source to destination.

The Horizon Cloud tables and diagrams include connections to the following products, product families, and components:

  • VMware Horizon Client™
  • VMware Unified Access Gateway™
  • VMware Identity Manager™
  • VMware App Volumes™
  • VMware User Environment Manager
  • VMware ThinApp®
  • VMware AirWatch®

Client Connections for Horizon Cloud with Hosted Infrastructure, with an External Connection

There are two basic configurations for Horizon Cloud with Hosted Infrastructure. One assumes client connections from an external network. The other configuration assumes connection from a trusted, or “internal,” network. Network ports for connections between a client (either Horizon Client or a browser) and the various Horizon Cloud components are similar in both cases.

External Client Connections to the Horizon Cloud with Hosted Infrastructure Tenant

An external connection provides secure access into Horizon Cloud resources from an external network. A Unified Access Gateway provides the secure edge services for the Horizon Cloud tenant. All communication from the client will be to that edge device, which then communicates to the internal resources.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client Unified Access Gateway TCP 443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See Understanding What URL Content Redirection Is in Horizon Cloud with Hosted Infrastructure Administration.

Can also carry tunneled RDP, client drive redirection, and USB redirection traffic.

TCP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway.
UDP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway.
TCP 443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic where port sharing is used.

Excellent or typical network condition is selected on client.
TCP 8443

Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (performant channel).

Excellent or typical network condition is selected on client.

UDP 443

Blast Extreme via the Unified Access Gateway for data traffic where port sharing is used.

Also used for login traffic when poor network condition is selected on client.
UDP 8443

Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).

Typical or poor network condition is selected on client.
Browser Unified Access Gateway TCP 443 HTML Access.
TCP 443 VMware Identity Manager login and data traffic.

 

Figure 1: Horizon Cloud with Hosted Infrastructure, External Connection with All Display Protocols

 

Figure 2: Horizon Cloud with Hosted Infrastructure, External Connection with Blast Extreme

 

Figure 3: Horizon Cloud with Hosted Infrastructure, External Connection with PCoIP

 

Figure 4: Horizon Cloud with Hosted Infrastructure, External Connection with HTML Access

 

Internal Client Connections to the Horizon Cloud with Hosted Infrastructure Tenant

An internal connection is typically used within the internal network. Initial authentication is performed to the tenant appliance or node appliance, and then the Horizon Client connects directly to the Horizon Agent running in the virtual desktop or RDS host.

The following table lists network ports for internal connections from a client device to Horizon Cloud components. The diagrams following the table show network ports for internal connections by protocol.

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client Unified Access Gateway TCP 443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See Understanding What URL Content Redirection Is in Horizon Cloud with Hosted Infrastructure Administration.

Can also carry tunneled RDP, client drive redirection, and USB-redirection traffic.

TCP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway.
UDP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway.
TCP 443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic where port sharing is used.

Excellent or typical network condition is selected on client.
TCP 8443

Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (performant channel).

Excellent or typical network condition is selected on client.
UDP 443

Blast Extreme via the Unified Access Gateway for data traffic where port sharing is used.

Also used for login traffic when poor network condition is selected on client.
UDP 8443

Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).

Typical or poor network condition is selected on client.

 

Client Connections for Horizon Cloud with Hosted Infrastructure, with an Internal Connection

An internal connection is typically used when an organization would like to have greater control over end-user communications between the organization’s data center and Horizon Cloud with Hosted Infrastructure. An internal connection to Horizon Cloud assumes that all end-user traffic comes from a trusted source (organization’s data center) and is configured like a branch office. A Unified Access Gateway provides the secure edge services for the Horizon Cloud tenant. In these cases, the Unified Access Gateway is deployed to the Services Zone instead of to the Security Zone in Horizon Cloud with Hosted Infrastructure. All communication from the client will be to that edge device, which then communicates to the internal resources.

With these diagrams, the only thing that changes is the way that the network zones are defined. All communication flows are similar to those in Horizon Cloud with Hosted Infrastructure with an external connection.

Figure 5: Horizon Cloud with Hosted Infrastructure, Internal Connection with All Display Protocols

 

Figure 6: Horizon Cloud with Hosted Infrastructure, Internal Connection with Blast Extreme

 

Figure 7: Horizon Cloud with Hosted Infrastructure, Internal Connection with PCoIP

 

Figure 8: Horizon Cloud with Hosted Infrastructure, Internal Connection with HTML Access

Client Connections for Horizon Cloud on Microsoft Azure

Horizon Cloud on Microsoft Azure differs from Horizon Cloud with Hosted Infrastructure in one critical way—with these solutions, you provide your own infrastructure via Microsoft Azure or a hyperconverged appliance to run the service on. These implementations require specific configurations of the basic infrastructure with the intent of providing an equivalent connection topography to a Horizon Cloud with Hosted Infrastructure deployment. Therefore, while the deployment models are different, they are purposefully very similar from a network connectivity point of view. 

A Unified Access Gateway provides the secure edge services for the Horizon Cloud tenant. All communication from the client will be to that edge device, which then communicates to the internal resources. 

 

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Client Unified Access Gateway or security server TCP 443

Login traffic.

SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See Understanding What URL Content Redirection Is in VMware Horizon Cloud Service on Microsoft Azure Administration Guide.

Can also carry tunneled RDP, client drive redirection, and USB-redirection traffic.
TCP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway.
UDP 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway.
Unified Access Gateway TCP 443

Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic where port sharing is used.

Excellent or typical network condition is selected on client.
TCP 443

Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (performant channel).

Excellent or typical network condition is selected on client.
UDP 443

Blast Extreme via the Unified Access Gateway for data traffic where port sharing is used.

Also used for login traffic when poor network condition is selected on client.
UDP 8443

Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport).

Typical or poor network condition is selected on client.
Browser Unified Access Gateway TCP 443 HTML Access.
TCP 443 VMware Identity Manager login and data traffic.

 

Figure 9: Horizon Cloud on Microsoft Azure, External Connection with All Display Protocols

 

Figure 10: Horizon Cloud on Microsoft Azure, External Connection with Blast Extreme

 

Figure 11: Horizon Cloud on Microsoft Azure, External Connection with PCoIP

 

Figure 12: Horizon Cloud on Microsoft Azure, External Connection with HTML Access

Virtual Desktop or RDS Host

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Horizon Agent Tenant / node appliance TCP 4002 Java Message Service (JMS) when using enhanced security – default.
TCP 4001 Java Message Service (JMS) – legacy.
TCP 3099 Desktop message server.
App Volumes Agent App Volumes Manager TCP 3443 Not currently used for Horizon Cloud on Microsoft Azure. Can use port 80 if not using SSL certificates to secure communication.
User Environment Manager FlexEngine File shares TCP 445 User Environment Manager agent access to SMB file shares.

 

Unified Access Gateway

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Unified Access Gateway Tenant / node appliance TCP 443 Login.
Horizon Agent TCP 22443 Blast Extreme.
UDP 22443 Blast Extreme.
TCP 4172 PCoIP.
UDP 4172 PCoIP.
TCP 3389 RDP.
TCP 9247

Optional for client drive redirection (CDR) and multi-media redirection (MMR).

By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.
TCP 32111

Optional for USB redirection.

By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here.
VMware Identity Manager TCP 443  
Radius UDP 5500

Other authentication sources such as RADIUS.

Default value for RADIUS is shown but is configurable.

 

VMware Identity Manager

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
VMware Identity Manager VMware Identity Manager TCP 443  
TCP 9300-9400 Audit needs.
SMTP server TCP 25 SMTP port to relay outbound mail.
Domain controllers TCP 389 LDAP to Active Directory. Default but is configurable.
Both 88 Kerberos authentication.
Both 464 Kerberos password change.
TCP 135 RPC.
DNS servers Both 53 DNS lookup.
Citrix Integration Broker server TCP 80, 443 Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server.
File servers TCP 445 Access to the ThinApp repository on SMB share.
vapp-updates.vmware.com
TCP 443 Access to the upgrade server.
RSA SecurID system UDP 5500 Default value is shown. This port is configurable.
AirWatch REST API TCP 443 For device compliance-checking, and for the AirWatch Cloud Connector password authentication method, if that is used.
Database TCP 1433 If using an external Microsoft SQL database (default port is 1443).
TCP 5432 If using an external PostgreSQL database.
TCP 1521 If using an external Oracle database.

 

Node Appliance, Tenant Appliance, and Tenant Resources

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Tenant appliance / node appliance / tenant desktops Global catalog TCP 3268 Server that contains global catalog role in an Active Directory configuration. This is a necessary resource for Domain Bind and Domain Join steps of deploying a Horizon Cloud tenant.
Domain controller TCP 389 LDAP services. Server that contains a domain controller role in an Active Directory configuration. This is a necessary resource for Domain Bind and Domain Join steps of deploying a Horizon Cloud tenant.
TCP 88 Kerberos services. Server that contains a domain controller role in an Active Directory configuration. This is a necessary resource for Domain Bind and Domain Join steps of deploying a Horizon Cloud tenant.
DNS server TCP 53 DNS services. DNS name resolution is required between the AD directory and Horizon Cloud, for Domain Bind and Domain Join steps of deploying a Horizon Cloud tenant.
File shares TCP 445 User Environment Manager agent access to SMB file shares.
Tenant appliance / node appliance CMS TCP 443 VMware cloud monitoring service.
RADIUS UDP 5500

Other authentication sources such as RADIUS.

Default value for RADIUS is shown but is configurable.

Applies only to Horizon Cloud with Hosted Infrastructure.
RSA SecurID system UDP 5500

Default value is shown. This port is configurable.

Applies only to Horizon Cloud with Hosted Infrastructure.

 

Management

SOURCE DESTINATION NETWORK PROTOCOL DESTINATION PORT DETAILS
Admin browser Horizon Cloud Service TCP 443
https://cloud.horizon.vmware.com/horizonadmin
VMware Identity Manager TCP 8443
https://<VMware Identity Manager instance FQDN>

https://<VMware Identity Manager appliance FQDN>:8443/cfg/login
Admin PC with RDP client Utility server* TCP 3389 For console access of Utility servers housed in a given Horizon Cloud with Hosted Infrastructure tenant.

*Relevant only in Horizon Cloud with Hosted Infrastructure tenant deployments.

About the Author and Contributors

Rick Terlep, End-User-Computing Architect, EUC Technical Marketing, VMware, wrote this document and created the diagrams.
 

The following people contributed considerable knowledge and assisted with reviewing:

  • Daniel Berkowitz, Architect, EUC Cloud Services, VMware
  • Jerrid Cunniff, Senior Architect, EUC Cloud Services, VMware
  • Graeme Gordon, Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware
  • Frank Taylor, Principal Engineer, EUC, VMware
  • Griff James, Staff Engineer, EUC, VMware

 

The following people contributed their knowledge to the VMware Horizon 7 document and diagrams that this document and diagrams were based on:

  • Mark Benson, Sr. Staff Engineer, EUC CTO Office, VMware
  • Paul Green, Staff Engineer, Enterprise Desktop, VMware
  • Ramu Panayappan, Director, R&D, Enterprise Desktop, VMware
  • Andrew Jewitt, Staff Engineer, Enterprise Desktop, VMware
  • Jim Yanik, Senior Manager, EUC Technical Marketing, VMware
  • Frank Anderson, EUC Technical Marketing Architect, EUC Technical Marketing, VMware

 

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.