VMware Horizon Cloud Service - next-generation Network Ports Diagrams
This document provides port and protocol requirements for connectivity between the various components and servers in a VMware Horizon® Cloud Service™ next-generation deployment on Microsoft Azure infrastructure. This document is intended to be a companion to the , which provides ports and protocols in tabular format. The tables tell you which ports must be opened for traffic from the end users' connections to reach their pod-provisioned virtual desktops and remote applications, as well as how to choose how your end users will connect.
This document leverages the Horizon Cloud Service on Microsoft Azure product documentation for a tabular listing of all possible ports from a source component to destination components within a typical Horizon Cloud Service on Microsoft Azure deployment. This does not mean that all these ports necessarily need to be open. If a component or protocol is not in use, then the ports associated with it can be ignored. For example:
- If you are not using Client Drive Redirection, you do not need to open the required ports.
- If you are not leveraging USB access, ports to and from it can be ignored.
Furthermore, this document does not list all possible ports for all possible integrations with third-party services. The document lists ports to third-party services that are critical to a functioning deployment.
Ports shown are destination ports. In the diagrams, arrows depict the direction of communication from source to destination and assume a stateful connection.
The Horizon Cloud tables and diagrams include connections to the following products, product families, and components:
- VMware Horizon® Client™
- VMware Unified Access Gateway™
- VMware Dynamic Environment Manager™
Client Connections to Horizon Cloud Service next-generation on Microsoft Azure Infrastructure
Deploying Horizon Cloud Service next-generation on Microsoft Azure infrastructure is relatively straightforward. It is important to know that your Microsoft Azure infrastructure must be available and configured for basic networking functionality. This includes the ability to communicate with core infrastructure platform components such as DNS, Active Directory, and file shares.
You also need to make sure that you have properly configured a supported Identity Provider for both user identity (i.e., Workspace ONE Access, Azure Active Directory) and machine identity (Active Directory) and that the two directories are synchronizing correctly (via Azure Active Directory Domain Services or other methods).
Note: The only display protocol that is allowed for use with Horizon Cloud Service – next-generation is Blast Extreme.
Note: This cloud service does change on a regular basis with regular updates to cloud-based components. If you have a deployment of Horizon Cloud Service next-generation with Microsoft Azure infrastructure based on a release different than what is documented for this document, assume that the details in the VMware Horizon Cloud Service – next-gen Product Documentation are canonical.
Horizon Cloud Service – next-gen is primarily a cloud-based service designed to have a minimal footprint in the customer domain. Most of the service configuration is done through the Horizon Cloud Universal Console. A lightweight Horizon Edge Gateway is implemented in a customer-provided Microsoft Azure subscription. For details on the deployment architecture of Horizon Cloud Service – next-generation, see the .
To facilitate the functionality Horizon Cloud Service – next-generation, the service requires connectivity or visibility to various cloud-based resources, in addition to the network ports requirements. These resources are documented in the .
The following All Network Ports diagram is a combination of all options in a single diagram.
Figure 1: All network ports for a standard deployment of Horizon Edge Gateway component in a Provider
The All Network Ports diagram describes all supported connection and protocol types.
Client Connections to Horizon Cloud Service next-generation on Microsoft Azure Infrastructure leveraging Azure Private Link Service
You may optionally elect to use the to simplify network communications from your end-user resources. Choosing the option to use Azure Private Link Service during Horizon Edge deployment allows for you to direct all Horizon desktop and RDS server resources to communicate to the Horizon Control Plane over Azure Private Link.
Use of Azure Private Link will change the destination of MQTT traffic from the Horizon Agent to Horizon Control Plane. See Figure 2 for details.
Figure 2: All network ports for a standard deployment of Horizon Edge Gateway component in a Provider leveraging Microsoft Azure Private Link Service.
The diagram in Figure 2 shows all supported connection and protocol types when using Azure Private Link Service.
For more information about Horizon Cloud Service – next-generation, explore the following resources:
The following updates were made to this guide:
Description of Changes
About the Author and Contributors
- , Senior Staff Architect, EUC Technical Marketing, VMware
- , Technical Marketing Manager, EUC Technical Marketing, VMware
Your feedback is valuable.