The Horizon Agent installation program optionally configures Windows Firewall rules on remote desktops and RDS hosts to open the default network ports. Ports are incoming unless otherwise noted.

The agent installation program configures the local firewall rule for inbound RDP connections to match the current RDP port of the host operating system, which is typically 3389.

If you instruct the agent installation program to not enable Remote Desktop support, it does not open ports 3389 and 32111, and you must open these ports manually.

If you change the RDP port number after installation, you must change the associated firewall rules. If you change a default port after installation, you must manually reconfigure Windows firewall rules to allow access on the updated port. See "Replacing Default Ports for View Services" in the View Installation document.

Windows firewall rules on the Horizon Agent on RDS hosts show a block of 256 contiguous UDP ports as open for inbound traffic. This block of ports is for VMWare Blast Extreme's internal use on the Horizon Agent. A special Microsoft signed driver on RDS hosts blocks inbound traffic to these ports from external sources. This driver causes the Windows firewall to treat the ports as closed.

If you use a virtual machine template as a desktop source, firewall exceptions carry over to deployed desktops only if the template is a member of the desktop domain. You can use Microsoft group policy settings to manage local firewall exceptions. See the Microsoft Knowledge Base (KB) article 875357 for more information.

Table 1. TCP and UDP Ports Opened During Agent Installation
Protocol Ports
RDP TCP port 3389
USB redirection and time zone synchronization TCP port 32111
MMR (multimedia redirection) and CDR (client drive redirection) TCP port 9427

TCP port 4172

UDP port 4172 (bidirectional)

VMware Blast Extreme

TCP port 22443

UDP port 22443 (bidirectional)

Note: UDP is not used on Linux desktops.
HTML Access TCP port 22443