If your network topology includes a back-end firewall between security servers and Connection Server instances, you must configure certain protocols and ports on the firewall to support IPsec. Without proper configuration, data sent between a security server and Connection Server instance will fail to pass through the firewall.

By default, IPsec rules govern the connections between security servers and Connection Server instances. To support IPsec, the Connection Server installer can configure Windows firewall rules on the Windows Server hosts where Horizon 7 servers are installed. For a back-end firewall, you must configure the rules yourself.

Note: It is highly recommended that you use IPsec. As an alternative, you can disable the Horizon Administrator global setting, Use IPsec for Security Server Connections.

The following rules must allow bidirectional traffic. You might have to specify separate rules for inbound and outbound traffic on your firewall.

Different rules apply to firewalls that use network address translation (NAT) and those that do not use NAT.

Table 1. Non-NAT Firewall Requirements to Support IPsec Rules
Source Protocol Port Destination Notes
Security server ISAKMP UDP 500 Horizon Connection Server Security servers use UDP port 500 to negotiate IPsec security.
Security server ESP N/A Horizon Connection Server ESP protocol encapsulates IPsec encrypted traffic.

You do not have to specify a port for ESP as part of the rule. If necessary, you can specify source and destination IP addresses to reduce the scope of the rule.

The following rules apply to firewalls that use NAT.

Table 2. NAT Firewall Requirements to Support IPsec Rules
Source Protocol Port Destination Notes
Security server ISAKMP UDP 500 Horizon Connection Server Security servers use UDP port 500 to initiate IPsec security negotiation.
Security server NAT-T ISAKMP UDP 4500 Horizon Connection Server Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.