Horizon 7 uses TCP and UDP ports for network access between its components.
During installation, Horizon 7 can optionally configure Windows firewall rules to open the ports that are used by default. If you change the default ports after installation, you must manually reconfigure Windows firewall rules to allow access on the updated ports. See "Replacing Default Ports for Horizon 7 Services" in the Horizon 7 Installation document.
For a list of ports that Horizon 7 uses for a certificate login associated with the TrueSSO solution, see Horizon 7 TrueSSO Ports.
| Source | Port | Target | Port | Protocol | Description |
|---|---|---|---|---|---|
| Security server, Connection Server, or Unified Access Gateway appliance | 55000 | Horizon Agent | 4172 | UDP | PCoIP (not SALSA20) if PCoIP Secure Gateway is used. |
| Security server, Connection Server, or Unified Access Gateway appliance | 4172 | Horizon Client | * | UDP | PCoIP (not SALSA20) if PCoIP Secure Gateway is used.
Note: Because the target port varies, see the note below this table.
|
| Security server | 500 | Connection Server | 500 | UDP | IPsec negotiation traffic. |
| Security server | * | Connection Server | 4001 | TCP | JMS traffic. |
| Security server | * | Connection Server | 4002 | TCP | JMS SSL traffic. |
| Security server | * | Connection Server | 8009 | TCP | AJP13-forwarded Web traffic, if not using IPsec. |
| Security server | * | Connection Server | * | ESP | AJP13-forwarded Web traffic, when using IPsec without NAT. |
| Security server | 4500 | Connection Server | 4500 | UDP | AJP13-forwarded Web traffic, when using IPsec through a NAT device. |
| Security server, Connection Server, or Unified Access Gateway appliance | * | Horizon Agent | 3389 | TCP | Microsoft RDP traffic to Horizon 7 desktops when tunnel connections are used. |
| Security server, Connection Server, or Unified Access Gateway appliance | * | Horizon Agent | 9427 | TCP | Windows Media MMR redirection and client drive redirection when tunnel connections are used. |
| Security server, Connection Server, or Unified Access Gateway appliance | * | Horizon Agent | 32111 | TCP | USB redirection and time zone synchronization when tunnel connections are used. |
| Security server, Connection Server, or Unified Access Gateway appliance | * | Horizon Agent | 4172 | TCP | PCoIP if PCoIP Secure Gateway is used. |
| Security server, Connection Server, or Unified Access Gateway appliance | * | Horizon Agent | 22443 | TCP | VMware Blast Extreme if Blast Secure Gateway is used. |
| Security server, Connection Server, or Unified Access Gateway appliance | * | Horizon Agent | 22443 | TCP | HTML Access if Blast Secure Gateway is used. |
| Horizon Agent | 4172 | Horizon Client | * | UDP | PCoIP, if PCoIP Secure Gateway is not used.
Note: Because the target port varies, see the note below this table.
|
| Horizon Agent | 4172 | Connection Server, security server, or Unified Access Gateway appliance | 55000 | UDP | PCoIP (not SALSA20) if PCoIP Secure Gateway is used. |
| Horizon Agent | 4172 | Unified Access Gateway appliance | * | UDP | PCoIP. Horizon 7 desktops and applications send PCoIP data back to an Unified Access Gateway appliance from UDP port 4172 . The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this. |
| Horizon Agent (unmanaged) | * | Connection server instance | 389 | TCP | AD LDS access during unmanaged agent installation.
Note: For other uses of this port, see the note below this table.
|
| Horizon Client | * | Connection Server or security server or Unified Access Gateway appliance | 80 | TCP | TLS (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in certain cases. See HTTP Redirection in Horizon 7. |
| Horizon Client | * | Connection Server, security server, or Unified Access Gateway appliance | 443 | TCP | HTTPS for logging in to Horizon 7. (This port is also used for tunnelling when tunnel connections are used.) |
| Horizon Client | * | Connection Server or security server or Unified Access Gateway appliance | 4172 | TCP and UDP | PCoIP if PCoIP Secure Gateway is used. |
| Horizon Client | * | Horizon Agent | 3389 | TCP | Microsoft RDP traffic to Horizon 7 desktops if direct connections are used instead of tunnel connections. |
| Horizon Client | * | Horizon Agent | 9427 | TCP | Windows Media MMR redirection and client drive redirection, if direct connections are used instead of tunnel connections. |
| Horizon Client | * | Horizon Agent | 32111 | TCP | USB redirection and time zone synchronization if direct connections are used instead of tunnel connections. |
| Horizon Client | * | Horizon Agent | 4172 | TCP and UDP | PCoIP if PCoIP Secure Gateway is not used.
Note: Because the source port varies, see the note below this table.
|
| Horizon Client | * | Horizon Agent | 22443 | TCP and UDP | VMware Blast |
| Horizon Client | * | Connection Server, security server, or Unified Access Gateway appliance | 4172 | TCP and UDP | PCoIP (not SALSA20) if PCoIP Secure Gateway is used.
Note: Because the source port varies, see the note below this table.
|
| Web Browser | * | Security server or Unified Access Gateway appliance | 8443 | TCP | HTML Access. |
| Connection Server | * | Connection Server | 48080 | TCP | For internal communication between Connection Server components. |
| Connection Server | * | vCenter Server or View Composer | 80 | TCP | SOAP messages if TLS is disabled for access to vCenter Servers or View Composer. |
| Connection Server | * | vCenter Server | 443 | TCP | SOAP messages if TLS is enabled for access to vCenter Servers. |
| Connection Server | * | View Composer | 18443 | TCP | SOAP messages if TLS is enabled for access to View Composer. |
| Connection Server | * | Connection Server | 4100 | TCP | JMS inter-router traffic. |
| Connection Server | * | Connection Server | 4101 | TCP | JMS TLS inter-router traffic. |
| Connection Server | * | Connection Server | 8472 | TCP | For interpod communication in Cloud Pod Architecture. |
| Connection Server | * | Connection Server | 22389 | TCP | For global LDAP replication in Cloud Pod Architecture. |
| Connection Server | * | Connection Server | 22636 | TCP | For secure global LDAP replication in Cloud Pod Architecture. |
| Connection Server | * | Connection Server | 32111 | TCP | Key sharing traffic. |
| Connection Server | * | Certificate Authority | * | HTTP, HTTPS | CRL or OCSP queries |
| Unified Access Gateway appliance | * | Connection Server or load balancer | 443 | TCP | HTTPS access. Unified Access Gateway appliances connect on TCP port 443 to communicate with a Connection Server instance or load balancer in front of multiple Connection Server instances. |
| View Composer service | * | ESXi host | 902 | TCP | Used when View Composer customizes linked-clone disks, including View Composer internal disks and, if they are specified, persistent disks and system disposable disks. |
Note: The UDP port number that clients use for PCoIP might change. If port 50002 is in use, the client will pick 50003. If port 50003 is in use, the client will pick port 50004, and so on. You must configure firewalls with
ANY where an asterisk (*) is listed in the table.
Note: Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Servers in the
Horizon 7 environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.
Note: On a Connection Server instance, port 389 is accessible for infrequent, ad hoc connections. It is accessed when installing an unmanaged agent as shown in the table, and also when using an LDAP editor to directly edit the database, and when issuing commands using a tool such as repadmin. A firewall rule is created for these purposes when AD LDS is installed, but it can be disabled if access to the port is not required.
Note: VMware Blast Extreme Adaptive Transport reserves some ports starting from ephemeral port range 49152-65535, by default. See the Knowledge Base article
52558.
