A typical Horizon FLEX deployment includes the Horizon FLEX server, a file server, an HTTPS proxy, an optional read-only domain controller (RODC), and offsite and onsite end-user systems.

Figure 1 shows the relationships between the major components of a Horizon FLEX deployment

Figure 1. Sample Horizon FLEX Deployment Without Mirage

Horizon FLEX Server

The Horizon FLEX server is composed of the Horizon FLEX Admin Console and the Horizon FLEX Policy Server. The Horizon FLEX server provides the following functionality.

  • Assigns Horizon FLEX virtual machines to users and groups from a directory service
  • Maintains a record of Horizon FLEX virtual machines in use by individual users
  • Provides security certificate management to ensure the secure and trusted communication between the deployed Horizon FLEX virtual machines and the Horizon FLEX server
  • Enforces policy settings to the client
  • Enables modification of policy settings
  • Monitors Horizon FLEX virtual machine status

The Mirage Management Console is the graphical user interface used for scalable maintenance, management, and monitoring of deployed endpoints.

By default, port 7443 is used by the Horizon FLEX Policy Server for external access, and port 8443 is used by the Mirage Management Server to communicate with the Horizon FLEX Policy Server. You must configure your firewall policies to allow the required ports. For a complete list of ports used by Mirage, see the Mirage documentation at https://www.vmware.com/support/pubs/mirage_pubs.html.

File Server

A file server stores the TAR files that contain the source virtual machine files for Horizon FLEX virtual machines. The file server can be on any server that a client user can access without entering credentials. The file server is located inside the DMZ in this example but that is not required.


An HTTPS proxy enables offsite end-user systems to reach the Horizon FLEX server and get policy updates.


An RODC enables office end-user systems to log in to their Horizon FLEX virtual machines and join the Active Directory domain for the first boot up of the virtual machine. An RODC is required only if you are allowing outside users to log in without using a VPN. The RODC is inside the DMZ.

Load Balancing

Horizon FLEX supports load balancing using multiple policy servers. For more information about setting up multiple Mirage servers for load balancing, see the Mirage documentation.