With the recent release of VMware Horizon 6.1.1 (June 2015) come many new features and changes. For 3 years now I’ve been maintaining a diagram detailing all of the network ports used by VMware Horizon (formerly View), and I am pleased to share the third version for the latest release. Many new components are present such as Blast on Linux virtual desktops, the new JMS enhanced security mode (JMS SSL), App Volumes and RDS hosts just to name a few.
I’ve also taken the opportunity to separate tunneled (E.g. PCoIP Secure Gateway or Blast Gateway) connections at the top of the diagram and direct connections at the bottom.
The diagram is an A0 PDF (118.88cm x 84.1cm) which is simply huge! Feel free to print this out and use it as a wall poster :)
Key Firewall Considerations for VMware Horizon 6
Update: App Volumes was showing incorrectly in the DMZ, the diagram has now been updated to show App Volumes Manager in the LAN segment
- TCP/UDP 4173: PCoIP port used internally on RDS hosts (note the diagram needs updating, it still uses 4172 from the client) – See page 221 here
- TCP 4002: JMS enhanced security mode (SSL)
- TCP 5443: Blast protocol listening port for Linux virtual desktop direct connections. Requires Horizon Client (requires Horizon Client 3.3 or higher)
- TCP 8443: Blast protocol listening port for Linux virtual desktop connections via Blast Secure Gateway. Requires Horizon Client (requires Horizon Client 3.3 or higher)
- TCP 8472: View interpod API (Cloud Pod Architecture)
- TCP 22389: Global ADLDS (Cloud Pod Architecture)
- HTTPS (443): Horizon Client access, authentication and RDP tunnel (HTTPS Secure Gateway)*
- HTTPS (8443): Used for HTML Access. Note: HTML Access for Linux virtual desktops are not officially supported, although most browsers do work.
- HTTPS (22443): HTML Access (Blast) to Windows virtual desktops
- TCP 9427: Used by Windows multimedia redirection (MMR) and Client Drive Redirection (CDR)
- TCP 32111: USB Redirection
- ESP (Protocol 50) used for Security Server and Connection Server IPSEC communication (requires Windows firewall with Advanced Security to be enabled)
- UDP 500: IPsec negotiation for Security Server and Connection Server communication and pairing.
*I’d also like to point out that if you enable HTTP(S) Secure Gateway, MMR, CDR and USB redirection channels will use HTTPS.
For a full list of network ports please refer to the latest Horizon 6 documentation: https://www.vmware.com/support/pubs/view_pubs.html