PRINTED 13 APRIL 2018 NETWORK PORTS IN VMWARE HORIZON 7
Table of Contents About This Guide Client Connections Internal Connection External Connection Tunneled Connection Virtual Desktop or RDS Host View Connection vcenter and View Composer Unified Access Gateway Security VMware Identity App Volumes vrealize Operations for Horizon Management Display-Protocol-Specific Diagram Views About the Author and Contributors GUIDE 2
Network Ports in VMware Horizon 7 About This Guide This document lists port requirements for connectivity between the various components and servers in a VMware Horizon 7 deployment. Figure 1: Horizon 7 Network Ports with All Connection Types and All Display Protocols Figure 1 shows three different client connection types and also includes all display protocols. Different subsets of this diagram are displayed throughout this document and linked to larger PDF layouts. To view these larger PDF diagram layouts, access the Attachments panel in this file or click on the diagram images in the layout. You might need to download this PDF and view it locally (rather than in a browser) for full interactive functionality. Each subset of Figure 1 focuses on a particular connection type and display protocol use. The PDF diagrams are high-resolution graphics and in a format suitable for printing as posters. This document also contains tables that list all possible ports from a source component to destination components. This does not mean that all of these ports necessarily need to be open. If a component or display protocol is not in use, then the ports associated with it can be omitted. For example: If Blast Extreme is the only display protocol used, the PCoIP ports need not be opened. GUIDE 3
If VMware vrealize Operations for Horizon is not deployed, ports to and from it can be ignored. Ports shown are destination ports. The Horizon 7 tables and diagrams include connections to the following products, product families, and components: vrealize Operations for Horizon VMware Horizon Client VMware Identity VMware Unified Access Gateway VMware App Volumes VMware User Environment VMware vcenter VMware ESXi VMware AirWatch VMware ThinApp Client Connections Network ports for connections between a client (either Horizon Client or a browser) and the various Horizon 7 components vary by whether the connections are internal, external, or tunneled. Internal Connection An internal connection is typically used within the internal network. Initial authentication is performed to the View Connection, and then the Horizon Client connects directly to the Horizon Agent running in the virtual desktop or RDS host. The following table lists network ports for internal connections from a client device to Horizon 7 components. The diagrams following the table show network ports for internal connections, by display protocol. GUIDE 4
NETWORK PROTOCOL PORT Horizon Client View Connection Login traffic. SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See HTTP Redirection in View in View Security. 22 Blast Extreme. Excellent or typical network condition is selected on client. 22 Blast Extreme. Typical network condition is selected on client. 4172 PCoIP. 4172 PCoIP. 3389 RDP. 9427 Optional for client drive redirection (CDR) and multimedia redirection (MMR). By default, when using Blast Extreme, CDR traffic is sidechanneled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here. 32111 Optional for USB redirection. By default, USB traffic is sidechanneled in the Blast Extreme or PCoIP ports indicated previously. If desired, this traffic can be separated onto the port indicated here. HTML Access. VMware Identity. Horizon Agent Browser View Connection VMware Identity GUIDE 5
Figure 2: Internal Connection Showing All Display Protocols Figure 3: Blast Extreme Internal Connection GUIDE 6
Figure 4: PCoIP Internal Connection Figure 5: HTML Access Internal Connection External Connection An external connection provides secure access into Horizon 7 resources from an external network. A Unified Access Gateway or a security server provides the secure edge services. All communication from the client will be to that edge device, which then communicates to the internal resources. The following table lists network ports for external connections from a client device to Horizon 7 components. The diagrams following the table show network ports for external connections, by display protocol, all with Unified Access Gateway. GUIDE 7
Horizon Client Unified Access Gateway or security server PORT Login traffic. SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in some cases. See HTTP Redirection in View in View Security. Can also carry tunneled RDP, client drive redirection, and USB redirection traffic. 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway or security server. 4172 PCoIP via PCoIP Secure Gateway on Unified Access Gateway or security server. Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic where port sharing is used. Excellent or typical network condition is selected on client. 8 Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (performant channel). Excellent or typical network condition is selected on client. Blast Extreme via the Unified Access Gateway for data traffic where port sharing is used. Also used for login traffic when poor network condition is selected on client. 8 Optional for Blast Extreme via Blast Secure Gateway on Unified Access Gateway for data traffic (adaptive transport). Typical or poor network condition is selected on client. Security server 9 Blast Extreme via Blast Secure Gateway on security server. Unified Access Gateway or security server Unified Access Gateway Unified Access Gateway Browser NETWORK PROTOCOL HTML Access. VMware Identity login and data traffic. GUIDE 8
Figure 6: External Connection Showing All Display Protocols (Using Unified Access Gateway) Figure 7: Blast Extreme External Connection (Using Unified Access Gateway) GUIDE 9
Figure 8: PCoIP External Connection (Using Unified Access Gateway) Figure 9: HTML Access External Connection (Using Unified Access Gateway) Tunneled Connection A tunneled connection uses the View Connection to provide gateway services. Authentication and session traffic is routed through the View Connection. This approach is less frequently used because Unified Access Gateway can provide the same and more functionality. The following table lists network ports for tunneled connections from a client device to the Horizon 7 components. The diagrams following the table show network ports for tunneled connections, by display protocol. GUIDE 10
Horizon Client Browser View Connection NETWORK PROTOCOL PORT Login. SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in certain cases. See HTTP Redirection in View in View Security. Can also carry tunneled RDP, client drive redirection, and USB redirection traffic 8 Blast Extreme to Blast Secure Gateway. Excellent or typical network condition is selected on client. 4172 PCoIP to PCoIP Secure Gateway 4172 PCoIP to PCoIP Secure Gateway View Connection HTML Access. VMware Identity VMware Identity GUIDE 11
Figure 10: Tunneled Connection Showing All Display Protocols Figure 11: Blast Extreme Tunneled Connection Figure 12: PCoIP Tunneled Connection GUIDE 12
Figure 13: HTML Access Tunneled Connection Virtual Desktop or RDS Host The following table lists network ports for connections from a virtual desktop or RDS host, to other Horizon 7 components. Horizon Agent View Connection vrealize Operations for Horizon * App Volumes Agent User Environment FlexEngine App Volumes File shares NETWORK PROTOCOL PORT 4002 Java Message Service (JMS) when using enhanced security (default). 4001 JMS (legacy). 389 Only required when doing an unmanaged agent registration, for example, RDSH agent install without linked-clone or instant-clone component. 3091 Remote Method Invocation (RMI) registry lookup. 3099 Desktop message server Can use port 80 if not using SSL certificates to secure communication. 5895 PowerShell web services. 445 User Environment agent access to SMB file shares. * VMware vrealize Operations for Horizon ports shown are for version 6.2. See the vrealize Operations for Horizon Documentation GUIDE 13
for earlier versions. View Connection The following table lists network ports for connections from a View Connection to other Horizon 7 components. View Connection Horizon Agent NETWORK PROTOCOL PORT 22 Blast Extreme for a tunneled connection. 4172 PCoIP for a tunneled connection. 4172 PCoIP for a tunneled connection. 3389 RDP for a tunneled connection. 9427 Optional for client drive redirection (CDR) and multimedia redirection (MMR) for a tunneled connection. By default, when using Blast Extreme, CDR traffic is side-channeled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here. 32111 Optional for USB redirection for a tunneled connection. By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here. vcenter SOAP messages. View Composer 18 SOAP messages. View Connection 4100 JMS to replica View Connection for redundancy and scale. 4101 JMS SSL to replica View Connection for redundancy and scale. 22389 Cloud Pod Architecture ADLDS Global LDAP replication. 32111 Used only during installation of a replica View Connection. 389 Used only during installation of a replica View Connection. 22636 Cloud Pod Architecture ADLDS Secure global LDAP replication. 8472 Cloud Pod Architecture inter-pod VIPA. 135 Required when joining Cloud Pod Architecture (CPA) federation. 32111 32111. Enrollment server GUIDE 14
View Connection NETWORK PROTOCOL Security server PORT 500 IPsec negotiation traffic. 4500 NAT-T ISAKMP. VMware Identity Message bus. vrealize Operations for Horizon 3091 Remote Method Invocation (RMI) registry lookup. 3101 Broker message server Send topology data. 3100 Certificate management server Pair. 5500 Two-factor authentication. Default value is shown. This port is configurable. RSA SecurID Authentication vcenter and View Composer The following table lists network ports for connections from a vcenter and a View Composer server, to other Horizon 7 components. NETWORK PROTOCOL PORT vcenter ESXi 902 SOAP. View Composer vcenter SOAP. ESXi 902 SOAP. Unified Access Gateway The following table lists network ports for connections from a Unified Access Gateway to other Horizon 7 components. GUIDE 15
Unified Access Gateway NETWORK PROTOCOL PORT View Connection Login. Horizon Agent 22 Blast Extreme. 22 Blast Extreme. 4172 PCoIP. 4172 PCoIP. 3389 RDP. 9427 Optional for client drive redirection (CDR) and multimedia redirection (MMR). By default, when using Blast Extreme, CDR traffic is sidechanneled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here. 32111 Optional for USB redirection. By default, USB traffic is side-channeled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here. VMware Identity RADIUS, 5500 Other authentication sources such as RADIUS. Default value for RADIUS is shown but is configurable. Security The following table lists network ports for connections from a security server to other Horizon 7 components. The diagrams following the table show network ports for external connections when using a security server, by display protocol. GUIDE 16
Security server View Connection Horizon Agent NETWORK PROTOCOL PORT 500 ESP IPsec negotiation traffic IP Protocol 50. AJP13-forwarded web traffic, when using IPsec without a NAT device. 4500 AJP13-forwarded web traffic, when using IPsec through a NAT device. 8009 AJP13-forwarded web traffic, if not using IPsec. 4001 JMS traffic. 4002 JMS SSL traffic. 22 Blast Extreme. 4172 PCoIP. 4172 PCoIP. 3389 RDP. 9427 Optional for client drive redirection (CDR) and multimedia redirection (MMR). By default, when using Blast Extreme, CDR traffic is sidechanneled in the Blast Extreme ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here. 32111 Optional for USB redirection. By default, USB traffic is sidechanneled in the Blast Extreme or PCoIP ports indicated previously. If you prefer, this traffic can be separated onto the port indicated here. GUIDE 17
Figure 14: External Connection Showing All Display Protocols (Using Security ) Figure 15: Blast Extreme External Connection (Using Security ) GUIDE 18
Figure 16: PCoIP External Connection (Using Security ) Figure 17: HTML Access External Connection (Using Security ) VMware Identity The following table lists the network ports for connections from VMware Identity to other Horizon 7 components. GUIDE 19
VMware Identity View Connection NETWORK PROTOCOL PORT 389 9300-9400 Audit needs. SMTP server 25 SMTP port to relay outbound mail. Domain controllers 389 LDAP to Active Directory. Default, but is configurable. Both 88 Kerberos authentication. Both 464 Kerberos password change. 135 RPC. DNS servers Both 53 DNS lookup. Citrix Integration Broker server 80, Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server. File servers 445 Access to the VMware ThinApp repository on SMB share. vapp-updates. vmware.com Access to the upgrade server. RSA SecurID system 5500 Default value is shown. This port is configurable. VMware AirWatch REST API For device compliance-checking, and for the VMware AirWatch Cloud Connector password authentication method, if that is used. Database 1433 If using an external Microsoft SQL database (default port is 1). 5432 If using an external PostgreSQL database. 1521 If using an external Oracle database. VMware Identity App Volumes The following table lists network ports for connections from App Volumes to other Horizon 7 components. GUIDE 20
App Volumes NETWORK PROTOCOL PORT vcenter SOAP. ESXi Hostd. Database 1433 Default port for Microsoft SQL. vrealize Operations for Horizon The following table lists network ports for connections from vrealize Operations for Horizon, to other Horizon 7 components. vrealize Operations for Horizon View Connection NETWORK PROTOCOL PORT 3091 Remote Method Invocation (RMI) registry lookup. 3101 Broker message server Send topology data. 3100 Certificate management server Pair. 3091 Remote Method Invocation (RMI) registry lookup. 3099 Desktop message server. Unified Access Gateway 9 Monitoring of Unified Access Gateway appliances. App Volumes Monitoring of App Volumes s. Horizon Agent Management The following table lists network ports for the administrative consoles in Horizon 7. GUIDE 21
Administrative console in browser NETWORK PROTOCOL PORT View Connection https://<connection FQDN>/admin vcenter https://<vcenter FQDN>/vsphere-client https:// <vcenter FQDN>/ui App Volumes https://<app Volumes FQDN>/ VMware Identity 8 https://<identity Instance FQDN> https://<identity Appliance FQDN>:8/cfg/login vrealize Operations for Horizon https://<vrealize FQDN or IP Address>/admin Unified Access Gateway 9 https://<unified Access Gateway FQDN or IP Address>:9/admin/ Display-Protocol-Specific Diagram Views The following diagrams display network ports for connections, by display protocol (Blast Extreme or PCoIP), and for HTML Access client connections. GUIDE 22
Figure 18: Blast Extreme Connections Figure 19: PCoIP Connections Figure 20: HTML Access Connections About the Author and Contributors Graeme Gordon, Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware, created these network-port diagrams and wrote the accompanying document. The following people contributed their knowledge and assisted with reviewing: Frank Anderson, EUC Technical Marketing Architect, EUC Technical Marketing, VMware Mark Benson, Sr. Staff Engineer, EUC CTO Office, VMware GUIDE 23
Paul Green, Staff Engineer, Enterprise Desktop, VMware Ray Heffer, Global Cloud Architect, VMware Andrew Jewitt, Staff Engineer, Enterprise Desktop, VMware Ramu Panayappan, Director, R&D, Enterprise Desktop, VMware Rick Terlep, EUC Architect, EUC Technical Marketing, VMware Jim Yanik, Senior, EUC Technical Marketing, VMware To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com. GUIDE 24
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.