firewall Archives - Ray Heffer

VMware Horizon Client (PCoIP & Blast) Connection Workflow

August 12, 2016 by Ray Heffer

Since I published the Horizon 7 Network Ports diagram with the latest release of Horizon 7, I’ve been frequently asked about the connection flow between the Horizon Client and the virtual desktop. VMware Horizon supports RDP, PCoIP and now Blast Extreme. I’ll start with PCoIP and then we’ll look at Blast Extreme. I’d also like to reference this excellent article by Mark Benson, Load Balancing with VMware Access Point.

The connection flow of the Horizon Client is mostly the same with Horizon 7, Horizon Air or Horizon DaaS. There may be differences in external load-balancing, Security Server or Access Point, and external URL configuration, but for this post I’ll focus on the Horizon Client itself and the aforementioned protocols.

A colleague asked me a very good question which I’d also like to address. How does Access Point know which VM to connect to?

Access Point doesn’t need to know which ESXi host is running the VM. When the entitled desktops are returned to the client(see 1b below) it also receives the external URL of the Access Point appliance, this is where the Horizon Client > Access Point connection is established on HTTPS (TCP 443). This could be a VIP on the load-balancer, or an external facing IP for each of the Access Point appliances, depending on the configuration (see Method 3 of Mark’s article).

When the user launches the chosen desktop pool, Access Point will communicate on HTTPS (TCP 443) to receive the desktop IP from the Connection server. The role of the PCoIP Gateway on the Access Point appliance is to then forward the PCoIP connection to the IP address of the Horizon Agent.

Note: In the past, Security Server used JMS, IPsec and AJP13, but Access Point doesn’t use these protocols (JMS is still used on the Connection Servers). If you refer to my Horizon 7 Network Ports diagram, you’ll see I’ve put these in a dotted line to show this.

Tunneled Connections (PCoIP)

VMware Horizon 6.1.1 Network Ports Diagram

July 14, 2015 by Ray Heffer

With the recent release of VMware Horizon 6.1.1 (June 2015) come many new features and changes. For 3 years now I’ve been maintaining a diagram detailing all of the network ports used by VMware Horizon (formerly View), and I am pleased to share the third version for the latest release. Many new components are present such as Blast on Linux virtual desktops, the new JMS enhanced security mode (JMS SSL), App Volumes and RDS hosts just to name a few.

I’ve also taken the opportunity to separate tunneled (E.g. PCoIP Secure Gateway or Blast Gateway) connections at the top of the diagram and direct connections at the bottom.

The diagram is an A0 PDF (118.88cm x 84.1cm) which is simply huge! Feel free to print this out and use it as a wall poster :)

Download here

Key Firewall Considerations for VMware Horizon 6

Update: App Volumes was showing incorrectly in the DMZ, the diagram has now been updated to show App Volumes Manager in the LAN segment

TCP/UDP 4173: PCoIP port used internally on RDS hosts (note the diagram needs updating, it still uses 4172 from the client) – See page 221 here
TCP 4002: JMS enhanced security mode (SSL)
TCP 5443: Blast protocol listening port for Linux virtual desktop direct connections. Requires Horizon Client (requires Horizon Client 3.3 or higher)
TCP 8443: Blast protocol listening port for Linux virtual desktop connections via Blast Secure Gateway. Requires Horizon Client (requires Horizon Client 3.3 or higher)
TCP 8472: View interpod API (Cloud Pod Architecture)
TCP 22389: Global ADLDS (Cloud Pod Architecture)
HTTPS (443): Horizon Client access, authentication and RDP tunnel (HTTPS Secure Gateway)*
HTTPS (8443): Used for HTML Access. Note: HTML Access for Linux virtual desktops are not officially supported, although most browsers do work.
HTTPS (22443): HTML Access (Blast) to Windows virtual desktops
TCP 9427: Used by Windows multimedia redirection (MMR) and Client Drive Redirection (CDR)
TCP 32111: USB Redirection
ESP (Protocol 50) used for Security Server and Connection Server IPSEC communication (requires Windows firewall with Advanced Security to be enabled)
UDP 500: IPsec negotiation for Security Server and Connection Server communication and pairing.

*I’d also like to point out that if you enable HTTP(S) Secure Gateway, MMR, CDR and USB redirection channels will use HTTPS.

For a full list of network ports please refer to the latest Horizon 6 documentation: https://www.vmware.com/support/pubs/view_pubs.html

VMware Horizon 6 (View) Firewall & Network Ports

June 20, 2014 by Ray Heffer

Updated (July 3rd 2014): Even higher resolution, includes RDS (Remote Desktop Session) hosts, Workspace Portal, MMR and correct PCoIP ports (TCP and UDP)

Back in April 2012 I posted my original View network firewall ports diagram, and it’s been used widely both internally at VMware and in the community. Since Horizon 6 launched this week I thought I’d create a brand new full size diagram to include Cloud Pod Architecture. This updated diagram contains a better layout and a new color theme to boot! This image is 3767 x 2355 pixels, so simply click to enlarge then ‘Save Image’ to get the full size HD version.

You’ll notice the addition of VIPA (View inter-pod API) and ADLDS port 22389 which are both used for Cloud Pod Architecture. Bear in mind that between your View Pods, you will still require the usual Active Directory ports.

Key Firewall Considerations for VMware Horizon 6

TCP 8472: View interpod API (Cloud Pod Architecture) – NEW
TCP 22389: Global ADLDS (Cloud Pod Architecture) – NEW
HTTPS (443): Horizon Client access, authentication and RDP tunnel (HTTPS Secure Gateway)
HTTPS (8443): Used by HTML Access (Blast)
HTTPS (22443): HTML Access (Blast) to Virtual Desktops
TCP 9427: Used by Windows multimedia redirection (MMR)
TCP 32111: USB Redirection
ESP (Protocol 50) used for Security Server and Connection Server IPSEC communication (requires Windows firewall with Advanced Security to be enabled)
UDP 500: IPsec negotiation for Security Server and Connection Server communication and pairing.

For a full list of network ports please refer to the latest Horizon 6 documentation: https://www.vmware.com/support/pubs/view_pubs.html