DMZ-based security servers require certain firewall rules on the front-end and back-end firewalls. During installation, Horizon 7 services are set up to listen on certain network ports by default. If necessary, to comply with organization policies or to avoid contention, you can change which port numbers are used.
Front-End Firewall Rules
To allow external client devices to connect to a security server within the DMZ, the front-end firewall must allow traffic on certain TCP and UDP ports. Front-End Firewall Rules summarizes the front-end firewall rules.
Source | Default Port | Protocol | Destination | Default Port | Notes |
---|---|---|---|---|---|
Horizon Client | TCP Any | HTTP | Security Server | TCP 80 | (Optional) External client devices connect to a security server within the DMZ on TCP port 80 and are automatically directed to HTTPS. For information about the security considerations related to letting users connect with HTTP rather than HTTPS, see the Horizon 7 Security guide. |
Horizon Client | TCP Any | HTTPS | Security server | TCP 443 | External client devices connect to a security server within the DMZ on TCP port 443 to communicate with a Connection Server instance and remote desktops and applications. |
Horizon Client | TCP Any UDP Any |
PCoIP | Security server | TCP 4172 UDP 4172 |
External client devices connect to a security server within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a remote desktop or application over PCoIP. |
Security Server | UDP 4172 | PCoIP | Horizon Client | UDP Any | Security servers send PCoIP data back to an external client device from UDP port 4172. The destination UDP port is the source port from the received UDP packets. Because these packets contain reply data, it is normally unnecessary to add an explicit firewall rule for this traffic. |
Horizon Client or Client Web browser | TCP Any | HTTPS | Security server | TCP 8443 UDP 8443 |
External client devices and external Web clients ( HTML Access) connect to a security server within the DMZ on HTTPS port 8443 to communicate with remote desktops. |
Back-End Firewall Rules
To allow a security server to communicate with each View Connection Server instance that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow remote desktops applications and Connection Server instances to communicate with each other. Back-End Firewall Rules summarizes the back-end firewall rules.
Source | Default Port | Protocol | Destination | Default Port | Notes |
---|---|---|---|---|---|
Security server | UDP 500 | IPSec | Connection Server | UDP 500 | Security servers negotiate IPSec with Connection Server instances on UDP port 500. |
Connection Server | UDP 500 | IPSec | Security server | UDP 500 | Connection Server instances respond to security servers on UDP port 500. |
Security Server | UDP 4500 | NAT-T ISAKMP | Connection Server | UDP 4500 | Required if NAT is used between a security server and its paired Connection Server instance. Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security. |
Connection Server | UDP 4500 | NAT-T ISAKMP | Security server | UDP 4500 | Connection Server instances respond to security servers on UDP port 4500 if NAT is used. |
Security server | TCP Any | AJP13 | Connection Server | TCP 8009 | Security servers connect to Connection Server instances on TCP port 8009 to forward Web traffic from external client devices. If you enable IPSec, AJP13 traffic does not use TCP port 8009 after pairing. Instead it flows over either NAT-T (UDP port 4500) or ESP. |
Security server | TCP Any | JMS | Connection Server | TCP 4001 | Security servers connect to Connection Server instances on TCP port 4001 to exchange Java Message Service (JMS) traffic. |
Security server | TCP Any | JMS | Connection Server | TCP 4002 | Security servers connect to Connection Server instances on TCP port 4002 to exchange secure Java Message Service (JMS) traffic. |
Security server | TCP Any | RDP | Remote desktop | TCP 3389 | Security servers connect to remote desktops on TCP port 3389 to exchange RDP traffic. |
Security server | TCP Any | MMR | Remote desktop | TCP 9427 | Security servers connect to remote desktops on TCP port 9427 to receive traffic relating to multimedia redirection (MMR) and client drive redirection. |
Security server | TCP Any UDP 55000 |
PCoIP | Remote desktop or application | TCP 4172 UDP 4172 |
Security servers connect to remote desktops and applications on TCP port 4172 and UDP port 4172 to exchange PCoIP traffic. |
Remote desktop or application | UDP 4172 | PCoIP | Security server | UDP 55000 | Remote desktops and applications send PCoIP data back to a security server from UDP port 4172 . The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this. |
Security server | TCP Any | USB-R | Remote desktop | TCP 32111 | Security servers connect to remote desktops on TCP port 32111 to exchange USB redirection traffic between an external client device and the remote desktop. |
Security server | TCP or UDP Any | Blast Extreme | Remote desktop or application | TCP or UDP 22443 | Security servers connect to remote desktops and applications on TCP and UDP port 22443 to exchange Blast Extreme traffic. |
Security server | TCP Any | HTTPS | Remote desktop | TCP 22443 | If you use HTML Access, security servers connect to remote desktops on HTTPS port 22443 to communicate with the Blast Extreme agent. |
Security server | ESP | Connection Server | Encapsulated AJP13 traffic when NAT traversal is not required. ESP is IP protocol 50. Port numbers are not specified. | ||
Connection Server | ESP | Security server | Encapsulated AJP13 traffic when NAT traversal is not required. ESP is IP protocol 50. Port numbers are not specified. |