DMZ-based security servers require certain firewall rules on the front-end and back-end firewalls. During installation, View services are set up to listen on certain network ports by default. If necessary, to comply with organization policies or to avoid contention, you can change which port numbers are used.

Important: For additional details and security recommendations, see the View Security document.

Front-End Firewall Rules

To allow external client devices to connect to a security server within the DMZ, the front-end firewall must allow traffic on certain TCP and UDP ports. Table 1 summarizes the front-end firewall rules.

Table 1. Front-End Firewall Rules
Source Default Port Protocol Destination Default Port Notes
Horizon Client TCP Any HTTP Security Server TCP 80 (Optional) External client devices connect to a security server within the DMZ on TCP port 80 and are automatically directed to HTTPS. For information about the security considerations related to letting users connect with HTTP rather than HTTPS, see the View Security guide.
Horizon Client TCP Any HTTPS Security server TCP 443 External client devices connect to a security server within the DMZ on TCP port 443 to communicate with a Connection Server instance and remote desktops and applications.
Horizon Client TCP Any

UDP Any

PCoIP Security server TCP 4172

UDP 4172

External client devices connect to a security server within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a remote desktop or application over PCoIP.
Security Server UDP 4172 PCoIP Horizon Client UDP Any Security servers send PCoIP data back to an external client device from UDP port 4172. The destination UDP port is the source port from the received UDP packets. Because these packets contain reply data, it is normally unnecessary to add an explicit firewall rule for this traffic.
Client Web browser TCP Any HTTPS Security server TCP 8443 If you use HTML Access, the external Web client connects to a security server within the DMZ on HTTPS port 8443 to communicate with remote desktops.

Back-End Firewall Rules

To allow a security server to communicate with each View Connection Server instance that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow remote desktops applications and View Connection Server instances to communicate with each other. Table 2 summarizes the back-end firewall rules.

Table 2. Back-End Firewall Rules
Source Default Port Protocol Destination Default Port Notes
Security server UDP 500 IPSec Connection Server UDP 500 Security servers negotiate IPSec with View Connection Server instances on UDP port 500.
Connection Server UDP 500 IPSec Security server UDP 500 View Connection Server instances respond to security servers on UDP port 500.
Security Server UDP 4500 NAT-T ISAKMP Connection Server UDP 4500 Required if NAT is used between a security server and its paired View Connection Server instance. Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.
Connection Server UDP 4500 NAT-T ISAKMP Security server UDP 4500 View Connection Server instances respond to security servers on UDP port 4500 if NAT is used.
Security server TCP Any AJP13 Connection Server TCP 8009 Security servers connect to View Connection Server instances on TCP port 8009 to forward Web traffic from external client devices.

If you enable IPSec, AJP13 traffic does not use TCP port 8009 after pairing. Instead it flows over either NAT-T (UDP port 4500) or ESP.

Security server TCP Any JMS Connection Server TCP 4001 Security servers connect to View Connection Server instances on TCP port 4001 to exchange Java Message Service (JMS) traffic.
Security server TCP Any RDP Remote desktop TCP 3389 Security servers connect to remote desktops on TCP port 3389 to exchange RDP traffic.
Security server TCP Any MMR Remote desktop TCP 9427 Security servers connect to remote desktops on TCP port 9427 to receive MMR traffic.
Security server TCP Any

UDP 55000

PCoIP Remote desktop or application TCP 4172

UDP 4172

Security servers connect to remote desktops and applications on TCP port 4172 and UDP port 4172 to exchange PCoIP traffic.
Remote desktop or application UDP 4172 PCoIP Security server UDP 55000 Remote desktops and applications send PCoIP data back to a security server from UDP port 4172 .

The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this.

Security server TCP Any USB-R Remote desktop TCP 32111 Security servers connect to remote desktops on TCP port 32111 to exchange USB redirection traffic between an external client device and the remote desktop.
Security server TCP Any HTTPS Remote desktop TCP 22443 If you use HTML Access, security servers connect to remote desktops on HTTPS port 22443 to communicate with the Blast agent.
Security server ESP Connection Server Encapsulated AJP13 traffic when NAT traversal is not required. ESP is IP protocol 50. Port numbers are not specified.
Connection Server ESP Security server Encapsulated AJP13 traffic when NAT traversal is not required. ESP is IP protocol 50. Port numbers are not specified.