For a successful deployment of Horizon 7, you must follow these firewall rules.
Firewall Rules
The following table describes firewall rules for the Management Gateway on VMware Cloud on Dell EMC:
| Rule Name | Service Name | Ports | Action | Source | Destination |
|---|---|---|---|---|---|
| Any SSO | SSO (TCP 7444) | 7444 | Allow | Any | vCenter |
| vCenter (ANY) to Management-On-Prem | Any (All Traffic) | Any | Allow | vCenter | Compute/On-prem subnet |
| ESXi (ANY) to Management-On-Prem | Any (All Traffic) | Any | Allow | ESXi | Compute/On-prem subnet |
| Management-On-Prem to vCenter (HTTPS) | HTTPS (TCP 443) | 443 | Allow | Compute/On-prem subnet | vCenter |
| Management-On-Prem to vCenter (ICMP) | ICMP (All ICMP) | Any | Allow | Compute/On-prem subnet | vCenter |
| Management-On-Prem to ESXi (Provisioning) | Provisioning (TCP 902) | 902 | Allow | Compute/On-prem subnet | ESXi |
| Management-On-Prem to ESXi (Remote Console) | Remote Console (TCP 903) | 903 | Allow | Compute/On-prem subnet | ESXi |
| Management-On-Prem to ESXi (ICMP) | ICMP (All ICMP) | Any | Allow | Compute/On-prem subnet | ESXi |
| Default Deny All | Any (All Traffic) | Any | Deny | Any | Any |
Although you can select Any as the source address in a firewall rule, using Any as the source address in this firewall rule can enable attacks on your vCenter Server and may lead to compromise of your SDDC. As a best practice, configure this firewall rule to allow access only from trusted source addresses. See VMware Knowledge Base article 84154.
The following table describes firewall rules for the Compute Gateway on VMware Cloud on Dell EMC.
| Rule Name | Service Name | Ports | Action | Source | Destination |
|---|---|---|---|---|---|
| Compute (ANY) to Uplink Network | Any (All Traffic) | Any | Allow | Any | Uplink Connection |
| Management-On-Prem (ANY) to BackEnd | Any (All Traffic) | Any | Allow | On-Premises Management subnet | Management Subnet |
The firewall rule configurations in the preceding table are generic. However, you can modify the firewall rules to allow specific ports for Horizon 7 based on your requirement. For information on the Horizon Ports, see Network Ports in VMware Horizon 7. You must configure the application-specific port details for users to access the specific applications. Obtain the application-specific port details from the vendor.
